diff --git a/README.md b/README.md
--- a/README.md
+++ b/README.md
@@ -7,9 +7,8 @@
 
 
 ## Version
-
-`1.4.5`
-
+ 
+`2.0` - Derived from API version @2011-06-15@ of the AWS service descriptions, licensed under Apache 2.0.
 
 ## Description
 
@@ -26,7 +25,7 @@
 The provided lenses should be compatible with any of the major lens libraries
 [lens](http://hackage.haskell.org/package/lens) or [lens-family-core](http://hackage.haskell.org/package/lens-family-core).
 
-See [Network.AWS.STS](http://hackage.haskell.org/package/amazonka-sts/docs/Network-AWS-STS.html)
+See [Amazonka.STS](http://hackage.haskell.org/package/amazonka-sts/docs/Amazonka-STS.html)
 or [the AWS documentation](https://aws.amazon.com/documentation/) to get started.
 
 
diff --git a/Setup.hs b/Setup.hs
deleted file mode 100644
--- a/Setup.hs
+++ /dev/null
@@ -1,2 +0,0 @@
-import           Distribution.Simple
-main = defaultMain
diff --git a/amazonka-sts.cabal b/amazonka-sts.cabal
--- a/amazonka-sts.cabal
+++ b/amazonka-sts.cabal
@@ -1,87 +1,95 @@
-name:                  amazonka-sts
-version:               1.4.5
-synopsis:              Amazon Security Token Service SDK.
-homepage:              https://github.com/brendanhay/amazonka
-bug-reports:           https://github.com/brendanhay/amazonka/issues
-license:               OtherLicense
-license-file:          LICENSE
-author:                Brendan Hay
-maintainer:            Brendan Hay <brendan.g.hay@gmail.com>
-copyright:             Copyright (c) 2013-2016 Brendan Hay
-category:              Network, AWS, Cloud, Distributed Computing
-build-type:            Simple
-cabal-version:         >= 1.10
-extra-source-files:    README.md fixture/*.yaml fixture/*.proto src/.gitkeep
+cabal-version:      2.2
+name:               amazonka-sts
+version:            2.0
+synopsis:           Amazon Security Token Service SDK.
+homepage:           https://github.com/brendanhay/amazonka
+bug-reports:        https://github.com/brendanhay/amazonka/issues
+license:            MPL-2.0
+license-file:       LICENSE
+author:             Brendan Hay
+maintainer:
+  Brendan Hay <brendan.g.hay+amazonka@gmail.com>, Jack Kelly <jack@jackkelly.name>
+
+copyright:          Copyright (c) 2013-2023 Brendan Hay
+category:           AWS
+build-type:         Simple
+extra-source-files:
+  fixture/*.proto
+  fixture/*.yaml
+  README.md
+  src/.gitkeep
+
 description:
-    The types from this library are intended to be used with
-    <http://hackage.haskell.org/package/amazonka amazonka>, which provides
-    mechanisms for specifying AuthN/AuthZ information, sending requests,
-    and receiving responses.
-    .
-    Lenses are used for constructing and manipulating types,
-    due to the depth of nesting of AWS types and transparency regarding
-    de/serialisation into more palatable Haskell values.
-    The provided lenses should be compatible with any of the major lens libraries
-    such as <http://hackage.haskell.org/package/lens lens> or
-    <http://hackage.haskell.org/package/lens-family-core lens-family-core>.
-    .
-    See "Network.AWS.STS" or <https://aws.amazon.com/documentation/ the AWS documentation>
-    to get started.
+  Derived from API version @2011-06-15@ of the AWS service descriptions, licensed under Apache 2.0.
+  .
+  The types from this library are intended to be used with <http://hackage.haskell.org/package/amazonka amazonka>,
+  which provides mechanisms for specifying AuthN/AuthZ information, sending requests, and receiving responses.
+  .
+  It is recommended to use generic lenses or optics from packages such as <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify optional fields and deconstruct responses.
+  .
+  Generated lenses can be found in "Amazonka.STS.Lens" and are
+  suitable for use with a lens package such as <http://hackage.haskell.org/package/lens lens> or <http://hackage.haskell.org/package/lens-family-core lens-family-core>.
+  .
+  See "Amazonka.STS" and the <https://aws.amazon.com/documentation/ AWS documentation> to get started.
 
 source-repository head
-    type:     git
-    location: git://github.com/brendanhay/amazonka.git
+  type:     git
+  location: git://github.com/brendanhay/amazonka.git
+  subdir:   amazonka-sts
 
 library
-    default-language:  Haskell2010
-    hs-source-dirs:    src gen
-
-    ghc-options:       -Wall
-
-    exposed-modules:
-          Network.AWS.STS
-        , Network.AWS.STS.AssumeRole
-        , Network.AWS.STS.AssumeRoleWithSAML
-        , Network.AWS.STS.AssumeRoleWithWebIdentity
-        , Network.AWS.STS.DecodeAuthorizationMessage
-        , Network.AWS.STS.GetCallerIdentity
-        , Network.AWS.STS.GetFederationToken
-        , Network.AWS.STS.GetSessionToken
-        , Network.AWS.STS.Types
-        , Network.AWS.STS.Waiters
+  default-language: Haskell2010
+  hs-source-dirs:   src gen
+  ghc-options:
+    -Wall -fwarn-incomplete-uni-patterns
+    -fwarn-incomplete-record-updates -funbox-strict-fields
 
-    other-modules:
-          Network.AWS.STS.Types.Product
-        , Network.AWS.STS.Types.Sum
+  exposed-modules:
+    Amazonka.STS
+    Amazonka.STS.AssumeRole
+    Amazonka.STS.AssumeRoleWithSAML
+    Amazonka.STS.AssumeRoleWithWebIdentity
+    Amazonka.STS.DecodeAuthorizationMessage
+    Amazonka.STS.GetAccessKeyInfo
+    Amazonka.STS.GetCallerIdentity
+    Amazonka.STS.GetFederationToken
+    Amazonka.STS.GetSessionToken
+    Amazonka.STS.Lens
+    Amazonka.STS.Types
+    Amazonka.STS.Types.AssumedRoleUser
+    Amazonka.STS.Types.FederatedUser
+    Amazonka.STS.Types.PolicyDescriptorType
+    Amazonka.STS.Types.Tag
+    Amazonka.STS.Waiters
 
-    build-depends:
-          amazonka-core == 1.4.5.*
-        , base          >= 4.7     && < 5
+  build-depends:
+    , amazonka-core  >=2.0  && <2.1
+    , base           >=4.12 && <5
 
 test-suite amazonka-sts-test
-    type:              exitcode-stdio-1.0
-    default-language:  Haskell2010
-    hs-source-dirs:    test
-    main-is:           Main.hs
-
-    ghc-options:       -Wall -threaded
+  type:             exitcode-stdio-1.0
+  default-language: Haskell2010
+  hs-source-dirs:   test
+  main-is:          Main.hs
+  ghc-options:      -Wall -threaded
 
-    -- This section is encoded by the template and any modules added by
-    -- hand outside these namespaces will not correctly be added to the
-    -- distribution package.
-    other-modules:
-          Test.AWS.STS
-        , Test.AWS.Gen.STS
-        , Test.AWS.STS.Internal
+  -- This section is encoded by the template and any modules added by
+  -- hand outside these namespaces will not correctly be added to the
+  -- distribution package.
+  other-modules:
+    Test.Amazonka.Gen.STS
+    Test.Amazonka.STS
+    Test.Amazonka.STS.Internal
 
-    build-depends:
-          amazonka-core == 1.4.5.*
-        , amazonka-test == 1.4.5.*
-        , amazonka-sts == 1.4.5.*
-        , base
-        , bytestring
-        , tasty
-        , tasty-hunit
-        , text
-        , time
-        , unordered-containers
+  build-depends:
+    , amazonka-core         >=2.0 && <2.1
+    , amazonka-sts
+    , amazonka-test         >=2.0 && <2.1
+    , base
+    , bytestring
+    , case-insensitive
+    , tasty
+    , tasty-hunit
+    , text
+    , time
+    , unordered-containers
diff --git a/fixture/AssumeRole.yaml b/fixture/AssumeRole.yaml
--- a/fixture/AssumeRole.yaml
+++ b/fixture/AssumeRole.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  sts.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/AssumeRoleWithSAML.yaml b/fixture/AssumeRoleWithSAML.yaml
--- a/fixture/AssumeRoleWithSAML.yaml
+++ b/fixture/AssumeRoleWithSAML.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  sts.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/AssumeRoleWithWebIdentity.yaml b/fixture/AssumeRoleWithWebIdentity.yaml
--- a/fixture/AssumeRoleWithWebIdentity.yaml
+++ b/fixture/AssumeRoleWithWebIdentity.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  sts.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DecodeAuthorizationMessage.yaml b/fixture/DecodeAuthorizationMessage.yaml
--- a/fixture/DecodeAuthorizationMessage.yaml
+++ b/fixture/DecodeAuthorizationMessage.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  sts.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/GetAccessKeyInfo.yaml b/fixture/GetAccessKeyInfo.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/GetAccessKeyInfo.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  sts.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/GetAccessKeyInfoResponse.proto b/fixture/GetAccessKeyInfoResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/GetAccessKeyInfoResponse.proto
diff --git a/fixture/GetCallerIdentity.yaml b/fixture/GetCallerIdentity.yaml
--- a/fixture/GetCallerIdentity.yaml
+++ b/fixture/GetCallerIdentity.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  sts.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/GetFederationToken.yaml b/fixture/GetFederationToken.yaml
--- a/fixture/GetFederationToken.yaml
+++ b/fixture/GetFederationToken.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  sts.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/GetSessionToken.yaml b/fixture/GetSessionToken.yaml
--- a/fixture/GetSessionToken.yaml
+++ b/fixture/GetSessionToken.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/sts/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  sts.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/gen/Amazonka/STS.hs b/gen/Amazonka/STS.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS.hs
@@ -0,0 +1,164 @@
+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- |
+-- Module      : Amazonka.STS
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Derived from API version @2011-06-15@ of the AWS service descriptions, licensed under Apache 2.0.
+--
+-- Security Token Service
+--
+-- Security Token Service (STS) enables you to request temporary,
+-- limited-privilege credentials for Identity and Access Management (IAM)
+-- users or for users that you authenticate (federated users). This guide
+-- provides descriptions of the STS API. For more information about using
+-- this service, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html Temporary Security Credentials>.
+module Amazonka.STS
+  ( -- * Service Configuration
+    defaultService,
+
+    -- * Errors
+    -- $errors
+
+    -- ** ExpiredTokenException
+    _ExpiredTokenException,
+
+    -- ** IDPCommunicationErrorException
+    _IDPCommunicationErrorException,
+
+    -- ** IDPRejectedClaimException
+    _IDPRejectedClaimException,
+
+    -- ** InvalidAuthorizationMessageException
+    _InvalidAuthorizationMessageException,
+
+    -- ** InvalidIdentityTokenException
+    _InvalidIdentityTokenException,
+
+    -- ** MalformedPolicyDocumentException
+    _MalformedPolicyDocumentException,
+
+    -- ** PackedPolicyTooLargeException
+    _PackedPolicyTooLargeException,
+
+    -- ** RegionDisabledException
+    _RegionDisabledException,
+
+    -- * Waiters
+    -- $waiters
+
+    -- * Operations
+    -- $operations
+
+    -- ** AssumeRole
+    AssumeRole (AssumeRole'),
+    newAssumeRole,
+    AssumeRoleResponse (AssumeRoleResponse'),
+    newAssumeRoleResponse,
+
+    -- ** AssumeRoleWithSAML
+    AssumeRoleWithSAML (AssumeRoleWithSAML'),
+    newAssumeRoleWithSAML,
+    AssumeRoleWithSAMLResponse (AssumeRoleWithSAMLResponse'),
+    newAssumeRoleWithSAMLResponse,
+
+    -- ** AssumeRoleWithWebIdentity
+    AssumeRoleWithWebIdentity (AssumeRoleWithWebIdentity'),
+    newAssumeRoleWithWebIdentity,
+    AssumeRoleWithWebIdentityResponse (AssumeRoleWithWebIdentityResponse'),
+    newAssumeRoleWithWebIdentityResponse,
+
+    -- ** DecodeAuthorizationMessage
+    DecodeAuthorizationMessage (DecodeAuthorizationMessage'),
+    newDecodeAuthorizationMessage,
+    DecodeAuthorizationMessageResponse (DecodeAuthorizationMessageResponse'),
+    newDecodeAuthorizationMessageResponse,
+
+    -- ** GetAccessKeyInfo
+    GetAccessKeyInfo (GetAccessKeyInfo'),
+    newGetAccessKeyInfo,
+    GetAccessKeyInfoResponse (GetAccessKeyInfoResponse'),
+    newGetAccessKeyInfoResponse,
+
+    -- ** GetCallerIdentity
+    GetCallerIdentity (GetCallerIdentity'),
+    newGetCallerIdentity,
+    GetCallerIdentityResponse (GetCallerIdentityResponse'),
+    newGetCallerIdentityResponse,
+
+    -- ** GetFederationToken
+    GetFederationToken (GetFederationToken'),
+    newGetFederationToken,
+    GetFederationTokenResponse (GetFederationTokenResponse'),
+    newGetFederationTokenResponse,
+
+    -- ** GetSessionToken
+    GetSessionToken (GetSessionToken'),
+    newGetSessionToken,
+    GetSessionTokenResponse (GetSessionTokenResponse'),
+    newGetSessionTokenResponse,
+
+    -- * Types
+
+    -- ** AssumedRoleUser
+    AssumedRoleUser (AssumedRoleUser'),
+    newAssumedRoleUser,
+
+    -- ** FederatedUser
+    FederatedUser (FederatedUser'),
+    newFederatedUser,
+
+    -- ** PolicyDescriptorType
+    PolicyDescriptorType (PolicyDescriptorType'),
+    newPolicyDescriptorType,
+
+    -- ** Tag
+    Tag (Tag'),
+    newTag,
+  )
+where
+
+import Amazonka.STS.AssumeRole
+import Amazonka.STS.AssumeRoleWithSAML
+import Amazonka.STS.AssumeRoleWithWebIdentity
+import Amazonka.STS.DecodeAuthorizationMessage
+import Amazonka.STS.GetAccessKeyInfo
+import Amazonka.STS.GetCallerIdentity
+import Amazonka.STS.GetFederationToken
+import Amazonka.STS.GetSessionToken
+import Amazonka.STS.Lens
+import Amazonka.STS.Types
+import Amazonka.STS.Waiters
+
+-- $errors
+-- Error matchers are designed for use with the functions provided by
+-- <http://hackage.haskell.org/package/lens/docs/Control-Exception-Lens.html Control.Exception.Lens>.
+-- This allows catching (and rethrowing) service specific errors returned
+-- by 'STS'.
+
+-- $operations
+-- Some AWS operations return results that are incomplete and require subsequent
+-- requests in order to obtain the entire result set. The process of sending
+-- subsequent requests to continue where a previous request left off is called
+-- pagination. For example, the 'ListObjects' operation of Amazon S3 returns up to
+-- 1000 objects at a time, and you must send subsequent requests with the
+-- appropriate Marker in order to retrieve the next page of results.
+--
+-- Operations that have an 'AWSPager' instance can transparently perform subsequent
+-- requests, correctly setting Markers and other request facets to iterate through
+-- the entire result set of a truncated API operation. Operations which support
+-- this have an additional note in the documentation.
+--
+-- Many operations have the ability to filter results on the server side. See the
+-- individual operation parameters for details.
+
+-- $waiters
+-- Waiters poll by repeatedly sending a request until some remote success condition
+-- configured by the 'Wait' specification is fulfilled. The 'Wait' specification
+-- determines how many attempts should be made, in addition to delay and retry strategies.
diff --git a/gen/Amazonka/STS/AssumeRole.hs b/gen/Amazonka/STS/AssumeRole.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/AssumeRole.hs
@@ -0,0 +1,1112 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.AssumeRole
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns a set of temporary security credentials that you can use to
+-- access Amazon Web Services resources that you might not normally have
+-- access to. These temporary credentials consist of an access key ID, a
+-- secret access key, and a security token. Typically, you use @AssumeRole@
+-- within your account or for cross-account access. For a comparison of
+-- @AssumeRole@ with other API operations that produce temporary
+-- credentials, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the Amazon Web Services STS API operations>
+-- in the /IAM User Guide/.
+--
+-- __Permissions__
+--
+-- The temporary security credentials created by @AssumeRole@ can be used
+-- to make API calls to any Amazon Web Services service with the following
+-- exception: You cannot call the Amazon Web Services STS
+-- @GetFederationToken@ or @GetSessionToken@ API operations.
+--
+-- (Optional) You can pass inline or managed
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policies>
+-- to this operation. You can pass a single JSON policy document to use as
+-- an inline session policy. You can also specify up to 10 managed policy
+-- Amazon Resource Names (ARNs) to use as managed session policies. The
+-- plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. Passing policies to this operation
+-- returns new temporary credentials. The resulting session\'s permissions
+-- are the intersection of the role\'s identity-based policy and the
+-- session policies. You can use the role\'s temporary credentials in
+-- subsequent Amazon Web Services API calls to access resources in the
+-- account that owns the role. You cannot use session policies to grant
+-- more permissions than those allowed by the identity-based policy of the
+-- role that is being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- When you create a role, you create two policies: A role trust policy
+-- that specifies /who/ can assume the role and a permissions policy that
+-- specifies /what/ can be done with the role. You specify the trusted
+-- principal who is allowed to assume the role in the role trust policy.
+--
+-- To assume a role from a different account, your Amazon Web Services
+-- account must be trusted by the role. The trust relationship is defined
+-- in the role\'s trust policy when the role is created. That trust policy
+-- states which accounts are allowed to delegate that access to users in
+-- the account.
+--
+-- A user who wants to access a role in a different account must also have
+-- permissions that are delegated from the user account administrator. The
+-- administrator must attach a policy that allows the user to call
+-- @AssumeRole@ for the ARN of the role in the other account.
+--
+-- To allow a user to assume a role in the same account, you can do either
+-- of the following:
+--
+-- -   Attach a policy to the user that allows the user to call
+--     @AssumeRole@ (as long as the role\'s trust policy trusts the
+--     account).
+--
+-- -   Add the user as a principal directly in the role\'s trust policy.
+--
+-- You can do either because the role’s trust policy acts as an IAM
+-- resource-based policy. When a resource-based policy grants access to a
+-- principal in the same account, no additional identity-based policy is
+-- required. For more information about trust policies and resource-based
+-- policies, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html IAM Policies>
+-- in the /IAM User Guide/.
+--
+-- __Tags__
+--
+-- (Optional) You can pass tag key-value pairs to your session. These tags
+-- are called session tags. For more information about session tags, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS>
+-- in the /IAM User Guide/.
+--
+-- An administrator must grant you the permissions necessary to pass
+-- session tags. The administrator can also create granular permissions to
+-- allow you to pass only specific session tags. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html Tutorial: Using Tags for Attribute-Based Access Control>
+-- in the /IAM User Guide/.
+--
+-- You can set the session tags as transitive. Transitive tags persist
+-- during role chaining. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags>
+-- in the /IAM User Guide/.
+--
+-- __Using MFA with AssumeRole__
+--
+-- (Optional) You can include multi-factor authentication (MFA) information
+-- when you call @AssumeRole@. This is useful for cross-account scenarios
+-- to ensure that the user that assumes the role has been authenticated
+-- with an Amazon Web Services MFA device. In that scenario, the trust
+-- policy of the role being assumed includes a condition that tests for MFA
+-- authentication. If the caller does not include valid MFA information,
+-- the request to assume the role is denied. The condition in a trust
+-- policy that tests for MFA authentication might look like the following
+-- example.
+--
+-- @\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}@
+--
+-- For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access>
+-- in the /IAM User Guide/ guide.
+--
+-- To use MFA with @AssumeRole@, you pass values for the @SerialNumber@ and
+-- @TokenCode@ parameters. The @SerialNumber@ value identifies the user\'s
+-- hardware or virtual MFA device. The @TokenCode@ is the time-based
+-- one-time password (TOTP) that the MFA device produces.
+module Amazonka.STS.AssumeRole
+  ( -- * Creating a Request
+    AssumeRole (..),
+    newAssumeRole,
+
+    -- * Request Lenses
+    assumeRole_durationSeconds,
+    assumeRole_externalId,
+    assumeRole_policy,
+    assumeRole_policyArns,
+    assumeRole_serialNumber,
+    assumeRole_sourceIdentity,
+    assumeRole_tags,
+    assumeRole_tokenCode,
+    assumeRole_transitiveTagKeys,
+    assumeRole_roleArn,
+    assumeRole_roleSessionName,
+
+    -- * Destructuring the Response
+    AssumeRoleResponse (..),
+    newAssumeRoleResponse,
+
+    -- * Response Lenses
+    assumeRoleResponse_assumedRoleUser,
+    assumeRoleResponse_packedPolicySize,
+    assumeRoleResponse_sourceIdentity,
+    assumeRoleResponse_httpStatus,
+    assumeRoleResponse_credentials,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+import Amazonka.STS.Types
+
+-- | /See:/ 'newAssumeRole' smart constructor.
+data AssumeRole = AssumeRole'
+  { -- | The duration, in seconds, of the role session. The value specified can
+    -- range from 900 seconds (15 minutes) up to the maximum session duration
+    -- set for the role. The maximum session duration setting can have a value
+    -- from 1 hour to 12 hours. If you specify a value higher than this setting
+    -- or the administrator setting (whichever is lower), the operation fails.
+    -- For example, if you specify a session duration of 12 hours, but your
+    -- administrator set the maximum session duration to 6 hours, your
+    -- operation fails.
+    --
+    -- Role chaining limits your Amazon Web Services CLI or Amazon Web Services
+    -- API role session to a maximum of one hour. When you use the @AssumeRole@
+    -- API operation to assume a role, you can specify the duration of your
+    -- role session with the @DurationSeconds@ parameter. You can specify a
+    -- parameter value of up to 43200 seconds (12 hours), depending on the
+    -- maximum session duration setting for your role. However, if you assume a
+    -- role using role chaining and provide a @DurationSeconds@ parameter value
+    -- greater than one hour, the operation fails. To learn how to view the
+    -- maximum value for your role, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+    -- in the /IAM User Guide/.
+    --
+    -- By default, the value is set to @3600@ seconds.
+    --
+    -- The @DurationSeconds@ parameter is separate from the duration of a
+    -- console session that you might request using the returned credentials.
+    -- The request to the federation endpoint for a console sign-in token takes
+    -- a @SessionDuration@ parameter that specifies the maximum length of the
+    -- console session. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+    -- in the /IAM User Guide/.
+    durationSeconds :: Prelude.Maybe Prelude.Natural,
+    -- | A unique identifier that might be required when you assume a role in
+    -- another account. If the administrator of the account to which the role
+    -- belongs provided you with an external ID, then provide that value in the
+    -- @ExternalId@ parameter. This value can be any string, such as a
+    -- passphrase or account number. A cross-account role is usually set up to
+    -- trust everyone in an account. Therefore, the administrator of the
+    -- trusting account might send an external ID to the administrator of the
+    -- trusted account. That way, only someone with the ID can assume the role,
+    -- rather than everyone in the account. For more information about the
+    -- external ID, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party>
+    -- in the /IAM User Guide/.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@:\/-
+    externalId :: Prelude.Maybe Prelude.Text,
+    -- | An IAM policy in JSON format that you want to use as an inline session
+    -- policy.
+    --
+    -- This parameter is optional. Passing policies to this operation returns
+    -- new temporary credentials. The resulting session\'s permissions are the
+    -- intersection of the role\'s identity-based policy and the session
+    -- policies. You can use the role\'s temporary credentials in subsequent
+    -- Amazon Web Services API calls to access resources in the account that
+    -- owns the role. You cannot use session policies to grant more permissions
+    -- than those allowed by the identity-based policy of the role that is
+    -- being assumed. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+    -- in the /IAM User Guide/.
+    --
+    -- The plaintext that you use for both inline and managed session policies
+    -- can\'t exceed 2,048 characters. The JSON policy characters can be any
+    -- ASCII character from the space character to the end of the valid
+    -- character list (\\u0020 through \\u00FF). It can also include the tab
+    -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    policy :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you
+    -- want to use as managed session policies. The policies must exist in the
+    -- same account as the role.
+    --
+    -- This parameter is optional. You can provide up to 10 managed policy
+    -- ARNs. However, the plaintext that you use for both inline and managed
+    -- session policies can\'t exceed 2,048 characters. For more information
+    -- about ARNs, see
+    -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+    -- in the Amazon Web Services General Reference.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    --
+    -- Passing policies to this operation returns new temporary credentials.
+    -- The resulting session\'s permissions are the intersection of the role\'s
+    -- identity-based policy and the session policies. You can use the role\'s
+    -- temporary credentials in subsequent Amazon Web Services API calls to
+    -- access resources in the account that owns the role. You cannot use
+    -- session policies to grant more permissions than those allowed by the
+    -- identity-based policy of the role that is being assumed. For more
+    -- information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+    -- in the /IAM User Guide/.
+    policyArns :: Prelude.Maybe [PolicyDescriptorType],
+    -- | The identification number of the MFA device that is associated with the
+    -- user who is making the @AssumeRole@ call. Specify this value if the
+    -- trust policy of the role being assumed includes a condition that
+    -- requires MFA authentication. The value is either the serial number for a
+    -- hardware device (such as @GAHT12345678@) or an Amazon Resource Name
+    -- (ARN) for a virtual device (such as
+    -- @arn:aws:iam::123456789012:mfa\/user@).
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@-
+    serialNumber :: Prelude.Maybe Prelude.Text,
+    -- | The source identity specified by the principal that is calling the
+    -- @AssumeRole@ operation.
+    --
+    -- You can require users to specify a source identity when they assume a
+    -- role. You do this by using the @sts:SourceIdentity@ condition key in a
+    -- role trust policy. You can use source identity information in CloudTrail
+    -- logs to determine who took actions with a role. You can use the
+    -- @aws:SourceIdentity@ condition key to further control access to Amazon
+    -- Web Services resources based on the value of source identity. For more
+    -- information about using source identity, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+    -- in the /IAM User Guide/.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@-. You cannot use a value that begins with the text
+    -- @aws:@. This prefix is reserved for Amazon Web Services internal use.
+    sourceIdentity :: Prelude.Maybe Prelude.Text,
+    -- | A list of session tags that you want to pass. Each session tag consists
+    -- of a key name and an associated value. For more information about
+    -- session tags, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Tagging Amazon Web Services STS Sessions>
+    -- in the /IAM User Guide/.
+    --
+    -- This parameter is optional. You can pass up to 50 session tags. The
+    -- plaintext session tag keys can’t exceed 128 characters, and the values
+    -- can’t exceed 256 characters. For these and additional limits, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+    -- in the /IAM User Guide/.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    --
+    -- You can pass a session tag with the same key as a tag that is already
+    -- attached to the role. When you do, session tags override a role tag with
+    -- the same key.
+    --
+    -- Tag key–value pairs are not case sensitive, but case is preserved. This
+    -- means that you cannot have separate @Department@ and @department@ tag
+    -- keys. Assume that the role has the @Department@=@Marketing@ tag and you
+    -- pass the @department@=@engineering@ session tag. @Department@ and
+    -- @department@ are not saved as separate tags, and the session tag passed
+    -- in the request takes precedence over the role tag.
+    --
+    -- Additionally, if you used temporary credentials to perform this
+    -- operation, the new session inherits any transitive session tags from the
+    -- calling session. If you pass a session tag with the same key as an
+    -- inherited tag, the operation fails. To view the inherited tags for a
+    -- session, see the CloudTrail logs. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs Viewing Session Tags in CloudTrail>
+    -- in the /IAM User Guide/.
+    tags :: Prelude.Maybe [Tag],
+    -- | The value provided by the MFA device, if the trust policy of the role
+    -- being assumed requires MFA. (In other words, if the policy includes a
+    -- condition that tests for MFA). If the role being assumed requires MFA
+    -- and if the @TokenCode@ value is missing or expired, the @AssumeRole@
+    -- call returns an \"access denied\" error.
+    --
+    -- The format for this parameter, as described by its regex pattern, is a
+    -- sequence of six numeric digits.
+    tokenCode :: Prelude.Maybe Prelude.Text,
+    -- | A list of keys for session tags that you want to set as transitive. If
+    -- you set a tag key as transitive, the corresponding key and value passes
+    -- to subsequent sessions in a role chain. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags>
+    -- in the /IAM User Guide/.
+    --
+    -- This parameter is optional. When you set session tags as transitive, the
+    -- session policy and session tags packed binary limit is not affected.
+    --
+    -- If you choose not to specify a transitive tag key, then no tags are
+    -- passed from this session to any subsequent sessions.
+    transitiveTagKeys :: Prelude.Maybe [Prelude.Text],
+    -- | The Amazon Resource Name (ARN) of the role to assume.
+    roleArn :: Prelude.Text,
+    -- | An identifier for the assumed role session.
+    --
+    -- Use the role session name to uniquely identify a session when the same
+    -- role is assumed by different principals or for different reasons. In
+    -- cross-account scenarios, the role session name is visible to, and can be
+    -- logged by the account that owns the role. The role session name is also
+    -- used in the ARN of the assumed role principal. This means that
+    -- subsequent cross-account API requests that use the temporary security
+    -- credentials will expose the role session name to the external account in
+    -- their CloudTrail logs.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@-
+    roleSessionName :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssumeRole' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'durationSeconds', 'assumeRole_durationSeconds' - The duration, in seconds, of the role session. The value specified can
+-- range from 900 seconds (15 minutes) up to the maximum session duration
+-- set for the role. The maximum session duration setting can have a value
+-- from 1 hour to 12 hours. If you specify a value higher than this setting
+-- or the administrator setting (whichever is lower), the operation fails.
+-- For example, if you specify a session duration of 12 hours, but your
+-- administrator set the maximum session duration to 6 hours, your
+-- operation fails.
+--
+-- Role chaining limits your Amazon Web Services CLI or Amazon Web Services
+-- API role session to a maximum of one hour. When you use the @AssumeRole@
+-- API operation to assume a role, you can specify the duration of your
+-- role session with the @DurationSeconds@ parameter. You can specify a
+-- parameter value of up to 43200 seconds (12 hours), depending on the
+-- maximum session duration setting for your role. However, if you assume a
+-- role using role chaining and provide a @DurationSeconds@ parameter value
+-- greater than one hour, the operation fails. To learn how to view the
+-- maximum value for your role, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+-- in the /IAM User Guide/.
+--
+-- By default, the value is set to @3600@ seconds.
+--
+-- The @DurationSeconds@ parameter is separate from the duration of a
+-- console session that you might request using the returned credentials.
+-- The request to the federation endpoint for a console sign-in token takes
+-- a @SessionDuration@ parameter that specifies the maximum length of the
+-- console session. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+-- in the /IAM User Guide/.
+--
+-- 'externalId', 'assumeRole_externalId' - A unique identifier that might be required when you assume a role in
+-- another account. If the administrator of the account to which the role
+-- belongs provided you with an external ID, then provide that value in the
+-- @ExternalId@ parameter. This value can be any string, such as a
+-- passphrase or account number. A cross-account role is usually set up to
+-- trust everyone in an account. Therefore, the administrator of the
+-- trusting account might send an external ID to the administrator of the
+-- trusted account. That way, only someone with the ID can assume the role,
+-- rather than everyone in the account. For more information about the
+-- external ID, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@:\/-
+--
+-- 'policy', 'assumeRole_policy' - An IAM policy in JSON format that you want to use as an inline session
+-- policy.
+--
+-- This parameter is optional. Passing policies to this operation returns
+-- new temporary credentials. The resulting session\'s permissions are the
+-- intersection of the role\'s identity-based policy and the session
+-- policies. You can use the role\'s temporary credentials in subsequent
+-- Amazon Web Services API calls to access resources in the account that
+-- owns the role. You cannot use session policies to grant more permissions
+-- than those allowed by the identity-based policy of the role that is
+-- being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. The JSON policy characters can be any
+-- ASCII character from the space character to the end of the valid
+-- character list (\\u0020 through \\u00FF). It can also include the tab
+-- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- 'policyArns', 'assumeRole_policyArns' - The Amazon Resource Names (ARNs) of the IAM managed policies that you
+-- want to use as managed session policies. The policies must exist in the
+-- same account as the role.
+--
+-- This parameter is optional. You can provide up to 10 managed policy
+-- ARNs. However, the plaintext that you use for both inline and managed
+-- session policies can\'t exceed 2,048 characters. For more information
+-- about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the Amazon Web Services General Reference.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- Passing policies to this operation returns new temporary credentials.
+-- The resulting session\'s permissions are the intersection of the role\'s
+-- identity-based policy and the session policies. You can use the role\'s
+-- temporary credentials in subsequent Amazon Web Services API calls to
+-- access resources in the account that owns the role. You cannot use
+-- session policies to grant more permissions than those allowed by the
+-- identity-based policy of the role that is being assumed. For more
+-- information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- 'serialNumber', 'assumeRole_serialNumber' - The identification number of the MFA device that is associated with the
+-- user who is making the @AssumeRole@ call. Specify this value if the
+-- trust policy of the role being assumed includes a condition that
+-- requires MFA authentication. The value is either the serial number for a
+-- hardware device (such as @GAHT12345678@) or an Amazon Resource Name
+-- (ARN) for a virtual device (such as
+-- @arn:aws:iam::123456789012:mfa\/user@).
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+--
+-- 'sourceIdentity', 'assumeRole_sourceIdentity' - The source identity specified by the principal that is calling the
+-- @AssumeRole@ operation.
+--
+-- You can require users to specify a source identity when they assume a
+-- role. You do this by using the @sts:SourceIdentity@ condition key in a
+-- role trust policy. You can use source identity information in CloudTrail
+-- logs to determine who took actions with a role. You can use the
+-- @aws:SourceIdentity@ condition key to further control access to Amazon
+-- Web Services resources based on the value of source identity. For more
+-- information about using source identity, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-. You cannot use a value that begins with the text
+-- @aws:@. This prefix is reserved for Amazon Web Services internal use.
+--
+-- 'tags', 'assumeRole_tags' - A list of session tags that you want to pass. Each session tag consists
+-- of a key name and an associated value. For more information about
+-- session tags, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Tagging Amazon Web Services STS Sessions>
+-- in the /IAM User Guide/.
+--
+-- This parameter is optional. You can pass up to 50 session tags. The
+-- plaintext session tag keys can’t exceed 128 characters, and the values
+-- can’t exceed 256 characters. For these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- You can pass a session tag with the same key as a tag that is already
+-- attached to the role. When you do, session tags override a role tag with
+-- the same key.
+--
+-- Tag key–value pairs are not case sensitive, but case is preserved. This
+-- means that you cannot have separate @Department@ and @department@ tag
+-- keys. Assume that the role has the @Department@=@Marketing@ tag and you
+-- pass the @department@=@engineering@ session tag. @Department@ and
+-- @department@ are not saved as separate tags, and the session tag passed
+-- in the request takes precedence over the role tag.
+--
+-- Additionally, if you used temporary credentials to perform this
+-- operation, the new session inherits any transitive session tags from the
+-- calling session. If you pass a session tag with the same key as an
+-- inherited tag, the operation fails. To view the inherited tags for a
+-- session, see the CloudTrail logs. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs Viewing Session Tags in CloudTrail>
+-- in the /IAM User Guide/.
+--
+-- 'tokenCode', 'assumeRole_tokenCode' - The value provided by the MFA device, if the trust policy of the role
+-- being assumed requires MFA. (In other words, if the policy includes a
+-- condition that tests for MFA). If the role being assumed requires MFA
+-- and if the @TokenCode@ value is missing or expired, the @AssumeRole@
+-- call returns an \"access denied\" error.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- sequence of six numeric digits.
+--
+-- 'transitiveTagKeys', 'assumeRole_transitiveTagKeys' - A list of keys for session tags that you want to set as transitive. If
+-- you set a tag key as transitive, the corresponding key and value passes
+-- to subsequent sessions in a role chain. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags>
+-- in the /IAM User Guide/.
+--
+-- This parameter is optional. When you set session tags as transitive, the
+-- session policy and session tags packed binary limit is not affected.
+--
+-- If you choose not to specify a transitive tag key, then no tags are
+-- passed from this session to any subsequent sessions.
+--
+-- 'roleArn', 'assumeRole_roleArn' - The Amazon Resource Name (ARN) of the role to assume.
+--
+-- 'roleSessionName', 'assumeRole_roleSessionName' - An identifier for the assumed role session.
+--
+-- Use the role session name to uniquely identify a session when the same
+-- role is assumed by different principals or for different reasons. In
+-- cross-account scenarios, the role session name is visible to, and can be
+-- logged by the account that owns the role. The role session name is also
+-- used in the ARN of the assumed role principal. This means that
+-- subsequent cross-account API requests that use the temporary security
+-- credentials will expose the role session name to the external account in
+-- their CloudTrail logs.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+newAssumeRole ::
+  -- | 'roleArn'
+  Prelude.Text ->
+  -- | 'roleSessionName'
+  Prelude.Text ->
+  AssumeRole
+newAssumeRole pRoleArn_ pRoleSessionName_ =
+  AssumeRole'
+    { durationSeconds = Prelude.Nothing,
+      externalId = Prelude.Nothing,
+      policy = Prelude.Nothing,
+      policyArns = Prelude.Nothing,
+      serialNumber = Prelude.Nothing,
+      sourceIdentity = Prelude.Nothing,
+      tags = Prelude.Nothing,
+      tokenCode = Prelude.Nothing,
+      transitiveTagKeys = Prelude.Nothing,
+      roleArn = pRoleArn_,
+      roleSessionName = pRoleSessionName_
+    }
+
+-- | The duration, in seconds, of the role session. The value specified can
+-- range from 900 seconds (15 minutes) up to the maximum session duration
+-- set for the role. The maximum session duration setting can have a value
+-- from 1 hour to 12 hours. If you specify a value higher than this setting
+-- or the administrator setting (whichever is lower), the operation fails.
+-- For example, if you specify a session duration of 12 hours, but your
+-- administrator set the maximum session duration to 6 hours, your
+-- operation fails.
+--
+-- Role chaining limits your Amazon Web Services CLI or Amazon Web Services
+-- API role session to a maximum of one hour. When you use the @AssumeRole@
+-- API operation to assume a role, you can specify the duration of your
+-- role session with the @DurationSeconds@ parameter. You can specify a
+-- parameter value of up to 43200 seconds (12 hours), depending on the
+-- maximum session duration setting for your role. However, if you assume a
+-- role using role chaining and provide a @DurationSeconds@ parameter value
+-- greater than one hour, the operation fails. To learn how to view the
+-- maximum value for your role, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+-- in the /IAM User Guide/.
+--
+-- By default, the value is set to @3600@ seconds.
+--
+-- The @DurationSeconds@ parameter is separate from the duration of a
+-- console session that you might request using the returned credentials.
+-- The request to the federation endpoint for a console sign-in token takes
+-- a @SessionDuration@ parameter that specifies the maximum length of the
+-- console session. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+-- in the /IAM User Guide/.
+assumeRole_durationSeconds :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Natural)
+assumeRole_durationSeconds = Lens.lens (\AssumeRole' {durationSeconds} -> durationSeconds) (\s@AssumeRole' {} a -> s {durationSeconds = a} :: AssumeRole)
+
+-- | A unique identifier that might be required when you assume a role in
+-- another account. If the administrator of the account to which the role
+-- belongs provided you with an external ID, then provide that value in the
+-- @ExternalId@ parameter. This value can be any string, such as a
+-- passphrase or account number. A cross-account role is usually set up to
+-- trust everyone in an account. Therefore, the administrator of the
+-- trusting account might send an external ID to the administrator of the
+-- trusted account. That way, only someone with the ID can assume the role,
+-- rather than everyone in the account. For more information about the
+-- external ID, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@:\/-
+assumeRole_externalId :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text)
+assumeRole_externalId = Lens.lens (\AssumeRole' {externalId} -> externalId) (\s@AssumeRole' {} a -> s {externalId = a} :: AssumeRole)
+
+-- | An IAM policy in JSON format that you want to use as an inline session
+-- policy.
+--
+-- This parameter is optional. Passing policies to this operation returns
+-- new temporary credentials. The resulting session\'s permissions are the
+-- intersection of the role\'s identity-based policy and the session
+-- policies. You can use the role\'s temporary credentials in subsequent
+-- Amazon Web Services API calls to access resources in the account that
+-- owns the role. You cannot use session policies to grant more permissions
+-- than those allowed by the identity-based policy of the role that is
+-- being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. The JSON policy characters can be any
+-- ASCII character from the space character to the end of the valid
+-- character list (\\u0020 through \\u00FF). It can also include the tab
+-- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+assumeRole_policy :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text)
+assumeRole_policy = Lens.lens (\AssumeRole' {policy} -> policy) (\s@AssumeRole' {} a -> s {policy = a} :: AssumeRole)
+
+-- | The Amazon Resource Names (ARNs) of the IAM managed policies that you
+-- want to use as managed session policies. The policies must exist in the
+-- same account as the role.
+--
+-- This parameter is optional. You can provide up to 10 managed policy
+-- ARNs. However, the plaintext that you use for both inline and managed
+-- session policies can\'t exceed 2,048 characters. For more information
+-- about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the Amazon Web Services General Reference.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- Passing policies to this operation returns new temporary credentials.
+-- The resulting session\'s permissions are the intersection of the role\'s
+-- identity-based policy and the session policies. You can use the role\'s
+-- temporary credentials in subsequent Amazon Web Services API calls to
+-- access resources in the account that owns the role. You cannot use
+-- session policies to grant more permissions than those allowed by the
+-- identity-based policy of the role that is being assumed. For more
+-- information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+assumeRole_policyArns :: Lens.Lens' AssumeRole (Prelude.Maybe [PolicyDescriptorType])
+assumeRole_policyArns = Lens.lens (\AssumeRole' {policyArns} -> policyArns) (\s@AssumeRole' {} a -> s {policyArns = a} :: AssumeRole) Prelude.. Lens.mapping Lens.coerced
+
+-- | The identification number of the MFA device that is associated with the
+-- user who is making the @AssumeRole@ call. Specify this value if the
+-- trust policy of the role being assumed includes a condition that
+-- requires MFA authentication. The value is either the serial number for a
+-- hardware device (such as @GAHT12345678@) or an Amazon Resource Name
+-- (ARN) for a virtual device (such as
+-- @arn:aws:iam::123456789012:mfa\/user@).
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+assumeRole_serialNumber :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text)
+assumeRole_serialNumber = Lens.lens (\AssumeRole' {serialNumber} -> serialNumber) (\s@AssumeRole' {} a -> s {serialNumber = a} :: AssumeRole)
+
+-- | The source identity specified by the principal that is calling the
+-- @AssumeRole@ operation.
+--
+-- You can require users to specify a source identity when they assume a
+-- role. You do this by using the @sts:SourceIdentity@ condition key in a
+-- role trust policy. You can use source identity information in CloudTrail
+-- logs to determine who took actions with a role. You can use the
+-- @aws:SourceIdentity@ condition key to further control access to Amazon
+-- Web Services resources based on the value of source identity. For more
+-- information about using source identity, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-. You cannot use a value that begins with the text
+-- @aws:@. This prefix is reserved for Amazon Web Services internal use.
+assumeRole_sourceIdentity :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text)
+assumeRole_sourceIdentity = Lens.lens (\AssumeRole' {sourceIdentity} -> sourceIdentity) (\s@AssumeRole' {} a -> s {sourceIdentity = a} :: AssumeRole)
+
+-- | A list of session tags that you want to pass. Each session tag consists
+-- of a key name and an associated value. For more information about
+-- session tags, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Tagging Amazon Web Services STS Sessions>
+-- in the /IAM User Guide/.
+--
+-- This parameter is optional. You can pass up to 50 session tags. The
+-- plaintext session tag keys can’t exceed 128 characters, and the values
+-- can’t exceed 256 characters. For these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- You can pass a session tag with the same key as a tag that is already
+-- attached to the role. When you do, session tags override a role tag with
+-- the same key.
+--
+-- Tag key–value pairs are not case sensitive, but case is preserved. This
+-- means that you cannot have separate @Department@ and @department@ tag
+-- keys. Assume that the role has the @Department@=@Marketing@ tag and you
+-- pass the @department@=@engineering@ session tag. @Department@ and
+-- @department@ are not saved as separate tags, and the session tag passed
+-- in the request takes precedence over the role tag.
+--
+-- Additionally, if you used temporary credentials to perform this
+-- operation, the new session inherits any transitive session tags from the
+-- calling session. If you pass a session tag with the same key as an
+-- inherited tag, the operation fails. To view the inherited tags for a
+-- session, see the CloudTrail logs. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs Viewing Session Tags in CloudTrail>
+-- in the /IAM User Guide/.
+assumeRole_tags :: Lens.Lens' AssumeRole (Prelude.Maybe [Tag])
+assumeRole_tags = Lens.lens (\AssumeRole' {tags} -> tags) (\s@AssumeRole' {} a -> s {tags = a} :: AssumeRole) Prelude.. Lens.mapping Lens.coerced
+
+-- | The value provided by the MFA device, if the trust policy of the role
+-- being assumed requires MFA. (In other words, if the policy includes a
+-- condition that tests for MFA). If the role being assumed requires MFA
+-- and if the @TokenCode@ value is missing or expired, the @AssumeRole@
+-- call returns an \"access denied\" error.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- sequence of six numeric digits.
+assumeRole_tokenCode :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text)
+assumeRole_tokenCode = Lens.lens (\AssumeRole' {tokenCode} -> tokenCode) (\s@AssumeRole' {} a -> s {tokenCode = a} :: AssumeRole)
+
+-- | A list of keys for session tags that you want to set as transitive. If
+-- you set a tag key as transitive, the corresponding key and value passes
+-- to subsequent sessions in a role chain. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags>
+-- in the /IAM User Guide/.
+--
+-- This parameter is optional. When you set session tags as transitive, the
+-- session policy and session tags packed binary limit is not affected.
+--
+-- If you choose not to specify a transitive tag key, then no tags are
+-- passed from this session to any subsequent sessions.
+assumeRole_transitiveTagKeys :: Lens.Lens' AssumeRole (Prelude.Maybe [Prelude.Text])
+assumeRole_transitiveTagKeys = Lens.lens (\AssumeRole' {transitiveTagKeys} -> transitiveTagKeys) (\s@AssumeRole' {} a -> s {transitiveTagKeys = a} :: AssumeRole) Prelude.. Lens.mapping Lens.coerced
+
+-- | The Amazon Resource Name (ARN) of the role to assume.
+assumeRole_roleArn :: Lens.Lens' AssumeRole Prelude.Text
+assumeRole_roleArn = Lens.lens (\AssumeRole' {roleArn} -> roleArn) (\s@AssumeRole' {} a -> s {roleArn = a} :: AssumeRole)
+
+-- | An identifier for the assumed role session.
+--
+-- Use the role session name to uniquely identify a session when the same
+-- role is assumed by different principals or for different reasons. In
+-- cross-account scenarios, the role session name is visible to, and can be
+-- logged by the account that owns the role. The role session name is also
+-- used in the ARN of the assumed role principal. This means that
+-- subsequent cross-account API requests that use the temporary security
+-- credentials will expose the role session name to the external account in
+-- their CloudTrail logs.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+assumeRole_roleSessionName :: Lens.Lens' AssumeRole Prelude.Text
+assumeRole_roleSessionName = Lens.lens (\AssumeRole' {roleSessionName} -> roleSessionName) (\s@AssumeRole' {} a -> s {roleSessionName = a} :: AssumeRole)
+
+instance Core.AWSRequest AssumeRole where
+  type AWSResponse AssumeRole = AssumeRoleResponse
+  request overrides =
+    Request.postQuery (overrides defaultService)
+  response =
+    Response.receiveXMLWrapper
+      "AssumeRoleResult"
+      ( \s h x ->
+          AssumeRoleResponse'
+            Prelude.<$> (x Data..@? "AssumedRoleUser")
+            Prelude.<*> (x Data..@? "PackedPolicySize")
+            Prelude.<*> (x Data..@? "SourceIdentity")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..@ "Credentials")
+      )
+
+instance Prelude.Hashable AssumeRole where
+  hashWithSalt _salt AssumeRole' {..} =
+    _salt
+      `Prelude.hashWithSalt` durationSeconds
+      `Prelude.hashWithSalt` externalId
+      `Prelude.hashWithSalt` policy
+      `Prelude.hashWithSalt` policyArns
+      `Prelude.hashWithSalt` serialNumber
+      `Prelude.hashWithSalt` sourceIdentity
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` tokenCode
+      `Prelude.hashWithSalt` transitiveTagKeys
+      `Prelude.hashWithSalt` roleArn
+      `Prelude.hashWithSalt` roleSessionName
+
+instance Prelude.NFData AssumeRole where
+  rnf AssumeRole' {..} =
+    Prelude.rnf durationSeconds
+      `Prelude.seq` Prelude.rnf externalId
+      `Prelude.seq` Prelude.rnf policy
+      `Prelude.seq` Prelude.rnf policyArns
+      `Prelude.seq` Prelude.rnf serialNumber
+      `Prelude.seq` Prelude.rnf sourceIdentity
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf tokenCode
+      `Prelude.seq` Prelude.rnf transitiveTagKeys
+      `Prelude.seq` Prelude.rnf roleArn
+      `Prelude.seq` Prelude.rnf roleSessionName
+
+instance Data.ToHeaders AssumeRole where
+  toHeaders = Prelude.const Prelude.mempty
+
+instance Data.ToPath AssumeRole where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery AssumeRole where
+  toQuery AssumeRole' {..} =
+    Prelude.mconcat
+      [ "Action"
+          Data.=: ("AssumeRole" :: Prelude.ByteString),
+        "Version"
+          Data.=: ("2011-06-15" :: Prelude.ByteString),
+        "DurationSeconds" Data.=: durationSeconds,
+        "ExternalId" Data.=: externalId,
+        "Policy" Data.=: policy,
+        "PolicyArns"
+          Data.=: Data.toQuery
+            (Data.toQueryList "member" Prelude.<$> policyArns),
+        "SerialNumber" Data.=: serialNumber,
+        "SourceIdentity" Data.=: sourceIdentity,
+        "Tags"
+          Data.=: Data.toQuery
+            (Data.toQueryList "member" Prelude.<$> tags),
+        "TokenCode" Data.=: tokenCode,
+        "TransitiveTagKeys"
+          Data.=: Data.toQuery
+            ( Data.toQueryList "member"
+                Prelude.<$> transitiveTagKeys
+            ),
+        "RoleArn" Data.=: roleArn,
+        "RoleSessionName" Data.=: roleSessionName
+      ]
+
+-- | Contains the response to a successful AssumeRole request, including
+-- temporary Amazon Web Services credentials that can be used to make
+-- Amazon Web Services requests.
+--
+-- /See:/ 'newAssumeRoleResponse' smart constructor.
+data AssumeRoleResponse = AssumeRoleResponse'
+  { -- | The Amazon Resource Name (ARN) and the assumed role ID, which are
+    -- identifiers that you can use to refer to the resulting temporary
+    -- security credentials. For example, you can reference these credentials
+    -- as a principal in a resource-based policy by using the ARN or assumed
+    -- role ID. The ARN and ID include the @RoleSessionName@ that you specified
+    -- when you called @AssumeRole@.
+    assumedRoleUser :: Prelude.Maybe AssumedRoleUser,
+    -- | A percentage value that indicates the packed size of the session
+    -- policies and session tags combined passed in the request. The request
+    -- fails if the packed size is greater than 100 percent, which means the
+    -- policies and tags exceeded the allowed space.
+    packedPolicySize :: Prelude.Maybe Prelude.Natural,
+    -- | The source identity specified by the principal that is calling the
+    -- @AssumeRole@ operation.
+    --
+    -- You can require users to specify a source identity when they assume a
+    -- role. You do this by using the @sts:SourceIdentity@ condition key in a
+    -- role trust policy. You can use source identity information in CloudTrail
+    -- logs to determine who took actions with a role. You can use the
+    -- @aws:SourceIdentity@ condition key to further control access to Amazon
+    -- Web Services resources based on the value of source identity. For more
+    -- information about using source identity, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+    -- in the /IAM User Guide/.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@-
+    sourceIdentity :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | The temporary security credentials, which include an access key ID, a
+    -- secret access key, and a security (or session) token.
+    --
+    -- The size of the security token that STS API operations return is not
+    -- fixed. We strongly recommend that you make no assumptions about the
+    -- maximum size.
+    credentials :: Core.AuthEnv
+  }
+  deriving (Prelude.Eq, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssumeRoleResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'assumedRoleUser', 'assumeRoleResponse_assumedRoleUser' - The Amazon Resource Name (ARN) and the assumed role ID, which are
+-- identifiers that you can use to refer to the resulting temporary
+-- security credentials. For example, you can reference these credentials
+-- as a principal in a resource-based policy by using the ARN or assumed
+-- role ID. The ARN and ID include the @RoleSessionName@ that you specified
+-- when you called @AssumeRole@.
+--
+-- 'packedPolicySize', 'assumeRoleResponse_packedPolicySize' - A percentage value that indicates the packed size of the session
+-- policies and session tags combined passed in the request. The request
+-- fails if the packed size is greater than 100 percent, which means the
+-- policies and tags exceeded the allowed space.
+--
+-- 'sourceIdentity', 'assumeRoleResponse_sourceIdentity' - The source identity specified by the principal that is calling the
+-- @AssumeRole@ operation.
+--
+-- You can require users to specify a source identity when they assume a
+-- role. You do this by using the @sts:SourceIdentity@ condition key in a
+-- role trust policy. You can use source identity information in CloudTrail
+-- logs to determine who took actions with a role. You can use the
+-- @aws:SourceIdentity@ condition key to further control access to Amazon
+-- Web Services resources based on the value of source identity. For more
+-- information about using source identity, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+--
+-- 'httpStatus', 'assumeRoleResponse_httpStatus' - The response's http status code.
+--
+-- 'credentials', 'assumeRoleResponse_credentials' - The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+newAssumeRoleResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'credentials'
+  Core.AuthEnv ->
+  AssumeRoleResponse
+newAssumeRoleResponse pHttpStatus_ pCredentials_ =
+  AssumeRoleResponse'
+    { assumedRoleUser =
+        Prelude.Nothing,
+      packedPolicySize = Prelude.Nothing,
+      sourceIdentity = Prelude.Nothing,
+      httpStatus = pHttpStatus_,
+      credentials = pCredentials_
+    }
+
+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are
+-- identifiers that you can use to refer to the resulting temporary
+-- security credentials. For example, you can reference these credentials
+-- as a principal in a resource-based policy by using the ARN or assumed
+-- role ID. The ARN and ID include the @RoleSessionName@ that you specified
+-- when you called @AssumeRole@.
+assumeRoleResponse_assumedRoleUser :: Lens.Lens' AssumeRoleResponse (Prelude.Maybe AssumedRoleUser)
+assumeRoleResponse_assumedRoleUser = Lens.lens (\AssumeRoleResponse' {assumedRoleUser} -> assumedRoleUser) (\s@AssumeRoleResponse' {} a -> s {assumedRoleUser = a} :: AssumeRoleResponse)
+
+-- | A percentage value that indicates the packed size of the session
+-- policies and session tags combined passed in the request. The request
+-- fails if the packed size is greater than 100 percent, which means the
+-- policies and tags exceeded the allowed space.
+assumeRoleResponse_packedPolicySize :: Lens.Lens' AssumeRoleResponse (Prelude.Maybe Prelude.Natural)
+assumeRoleResponse_packedPolicySize = Lens.lens (\AssumeRoleResponse' {packedPolicySize} -> packedPolicySize) (\s@AssumeRoleResponse' {} a -> s {packedPolicySize = a} :: AssumeRoleResponse)
+
+-- | The source identity specified by the principal that is calling the
+-- @AssumeRole@ operation.
+--
+-- You can require users to specify a source identity when they assume a
+-- role. You do this by using the @sts:SourceIdentity@ condition key in a
+-- role trust policy. You can use source identity information in CloudTrail
+-- logs to determine who took actions with a role. You can use the
+-- @aws:SourceIdentity@ condition key to further control access to Amazon
+-- Web Services resources based on the value of source identity. For more
+-- information about using source identity, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+assumeRoleResponse_sourceIdentity :: Lens.Lens' AssumeRoleResponse (Prelude.Maybe Prelude.Text)
+assumeRoleResponse_sourceIdentity = Lens.lens (\AssumeRoleResponse' {sourceIdentity} -> sourceIdentity) (\s@AssumeRoleResponse' {} a -> s {sourceIdentity = a} :: AssumeRoleResponse)
+
+-- | The response's http status code.
+assumeRoleResponse_httpStatus :: Lens.Lens' AssumeRoleResponse Prelude.Int
+assumeRoleResponse_httpStatus = Lens.lens (\AssumeRoleResponse' {httpStatus} -> httpStatus) (\s@AssumeRoleResponse' {} a -> s {httpStatus = a} :: AssumeRoleResponse)
+
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+assumeRoleResponse_credentials :: Lens.Lens' AssumeRoleResponse Core.AuthEnv
+assumeRoleResponse_credentials = Lens.lens (\AssumeRoleResponse' {credentials} -> credentials) (\s@AssumeRoleResponse' {} a -> s {credentials = a} :: AssumeRoleResponse)
+
+instance Prelude.NFData AssumeRoleResponse where
+  rnf AssumeRoleResponse' {..} =
+    Prelude.rnf assumedRoleUser
+      `Prelude.seq` Prelude.rnf packedPolicySize
+      `Prelude.seq` Prelude.rnf sourceIdentity
+      `Prelude.seq` Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf credentials
diff --git a/gen/Amazonka/STS/AssumeRoleWithSAML.hs b/gen/Amazonka/STS/AssumeRoleWithSAML.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/AssumeRoleWithSAML.hs
@@ -0,0 +1,872 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.AssumeRoleWithSAML
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns a set of temporary security credentials for users who have been
+-- authenticated via a SAML authentication response. This operation
+-- provides a mechanism for tying an enterprise identity store or directory
+-- to role-based Amazon Web Services access without user-specific
+-- credentials or configuration. For a comparison of @AssumeRoleWithSAML@
+-- with the other API operations that produce temporary credentials, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the Amazon Web Services STS API operations>
+-- in the /IAM User Guide/.
+--
+-- The temporary security credentials returned by this operation consist of
+-- an access key ID, a secret access key, and a security token.
+-- Applications can use these temporary security credentials to sign calls
+-- to Amazon Web Services services.
+--
+-- __Session Duration__
+--
+-- By default, the temporary security credentials created by
+-- @AssumeRoleWithSAML@ last for one hour. However, you can use the
+-- optional @DurationSeconds@ parameter to specify the duration of your
+-- session. Your role session lasts for the duration that you specify, or
+-- until the time specified in the SAML authentication response\'s
+-- @SessionNotOnOrAfter@ value, whichever is shorter. You can provide a
+-- @DurationSeconds@ value from 900 seconds (15 minutes) up to the maximum
+-- session duration setting for the role. This setting can have a value
+-- from 1 hour to 12 hours. To learn how to view the maximum value for your
+-- role, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+-- in the /IAM User Guide/. The maximum session duration limit applies when
+-- you use the @AssumeRole*@ API operations or the @assume-role*@ CLI
+-- commands. However the limit does not apply when you use those operations
+-- to create a console URL. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html Using IAM Roles>
+-- in the /IAM User Guide/.
+--
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining Role chaining>
+-- limits your CLI or Amazon Web Services API role session to a maximum of
+-- one hour. When you use the @AssumeRole@ API operation to assume a role,
+-- you can specify the duration of your role session with the
+-- @DurationSeconds@ parameter. You can specify a parameter value of up to
+-- 43200 seconds (12 hours), depending on the maximum session duration
+-- setting for your role. However, if you assume a role using role chaining
+-- and provide a @DurationSeconds@ parameter value greater than one hour,
+-- the operation fails.
+--
+-- __Permissions__
+--
+-- The temporary security credentials created by @AssumeRoleWithSAML@ can
+-- be used to make API calls to any Amazon Web Services service with the
+-- following exception: you cannot call the STS @GetFederationToken@ or
+-- @GetSessionToken@ API operations.
+--
+-- (Optional) You can pass inline or managed
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policies>
+-- to this operation. You can pass a single JSON policy document to use as
+-- an inline session policy. You can also specify up to 10 managed policy
+-- Amazon Resource Names (ARNs) to use as managed session policies. The
+-- plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. Passing policies to this operation
+-- returns new temporary credentials. The resulting session\'s permissions
+-- are the intersection of the role\'s identity-based policy and the
+-- session policies. You can use the role\'s temporary credentials in
+-- subsequent Amazon Web Services API calls to access resources in the
+-- account that owns the role. You cannot use session policies to grant
+-- more permissions than those allowed by the identity-based policy of the
+-- role that is being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- Calling @AssumeRoleWithSAML@ does not require the use of Amazon Web
+-- Services security credentials. The identity of the caller is validated
+-- by using keys in the metadata document that is uploaded for the SAML
+-- provider entity for your identity provider.
+--
+-- Calling @AssumeRoleWithSAML@ can result in an entry in your CloudTrail
+-- logs. The entry includes the value in the @NameID@ element of the SAML
+-- assertion. We recommend that you use a @NameIDType@ that is not
+-- associated with any personally identifiable information (PII). For
+-- example, you could instead use the persistent identifier
+-- (@urn:oasis:names:tc:SAML:2.0:nameid-format:persistent@).
+--
+-- __Tags__
+--
+-- (Optional) You can configure your IdP to pass attributes into your SAML
+-- assertion as session tags. Each session tag consists of a key name and
+-- an associated value. For more information about session tags, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS>
+-- in the /IAM User Guide/.
+--
+-- You can pass up to 50 session tags. The plaintext session tag keys can’t
+-- exceed 128 characters and the values can’t exceed 256 characters. For
+-- these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- You can pass a session tag with the same key as a tag that is attached
+-- to the role. When you do, session tags override the role\'s tags with
+-- the same key.
+--
+-- An administrator must grant you the permissions necessary to pass
+-- session tags. The administrator can also create granular permissions to
+-- allow you to pass only specific session tags. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html Tutorial: Using Tags for Attribute-Based Access Control>
+-- in the /IAM User Guide/.
+--
+-- You can set the session tags as transitive. Transitive tags persist
+-- during role chaining. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags>
+-- in the /IAM User Guide/.
+--
+-- __SAML Configuration__
+--
+-- Before your application can call @AssumeRoleWithSAML@, you must
+-- configure your SAML identity provider (IdP) to issue the claims required
+-- by Amazon Web Services. Additionally, you must use Identity and Access
+-- Management (IAM) to create a SAML provider entity in your Amazon Web
+-- Services account that represents your identity provider. You must also
+-- create an IAM role that specifies this SAML provider in its trust
+-- policy.
+--
+-- For more information, see the following resources:
+--
+-- -   <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html About SAML 2.0-based Federation>
+--     in the /IAM User Guide/.
+--
+-- -   <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html Creating SAML Identity Providers>
+--     in the /IAM User Guide/.
+--
+-- -   <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html Configuring a Relying Party and Claims>
+--     in the /IAM User Guide/.
+--
+-- -   <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html Creating a Role for SAML 2.0 Federation>
+--     in the /IAM User Guide/.
+module Amazonka.STS.AssumeRoleWithSAML
+  ( -- * Creating a Request
+    AssumeRoleWithSAML (..),
+    newAssumeRoleWithSAML,
+
+    -- * Request Lenses
+    assumeRoleWithSAML_durationSeconds,
+    assumeRoleWithSAML_policy,
+    assumeRoleWithSAML_policyArns,
+    assumeRoleWithSAML_roleArn,
+    assumeRoleWithSAML_principalArn,
+    assumeRoleWithSAML_sAMLAssertion,
+
+    -- * Destructuring the Response
+    AssumeRoleWithSAMLResponse (..),
+    newAssumeRoleWithSAMLResponse,
+
+    -- * Response Lenses
+    assumeRoleWithSAMLResponse_assumedRoleUser,
+    assumeRoleWithSAMLResponse_audience,
+    assumeRoleWithSAMLResponse_credentials,
+    assumeRoleWithSAMLResponse_issuer,
+    assumeRoleWithSAMLResponse_nameQualifier,
+    assumeRoleWithSAMLResponse_packedPolicySize,
+    assumeRoleWithSAMLResponse_sourceIdentity,
+    assumeRoleWithSAMLResponse_subject,
+    assumeRoleWithSAMLResponse_subjectType,
+    assumeRoleWithSAMLResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+import Amazonka.STS.Types
+
+-- | /See:/ 'newAssumeRoleWithSAML' smart constructor.
+data AssumeRoleWithSAML = AssumeRoleWithSAML'
+  { -- | The duration, in seconds, of the role session. Your role session lasts
+    -- for the duration that you specify for the @DurationSeconds@ parameter,
+    -- or until the time specified in the SAML authentication response\'s
+    -- @SessionNotOnOrAfter@ value, whichever is shorter. You can provide a
+    -- @DurationSeconds@ value from 900 seconds (15 minutes) up to the maximum
+    -- session duration setting for the role. This setting can have a value
+    -- from 1 hour to 12 hours. If you specify a value higher than this
+    -- setting, the operation fails. For example, if you specify a session
+    -- duration of 12 hours, but your administrator set the maximum session
+    -- duration to 6 hours, your operation fails. To learn how to view the
+    -- maximum value for your role, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+    -- in the /IAM User Guide/.
+    --
+    -- By default, the value is set to @3600@ seconds.
+    --
+    -- The @DurationSeconds@ parameter is separate from the duration of a
+    -- console session that you might request using the returned credentials.
+    -- The request to the federation endpoint for a console sign-in token takes
+    -- a @SessionDuration@ parameter that specifies the maximum length of the
+    -- console session. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+    -- in the /IAM User Guide/.
+    durationSeconds :: Prelude.Maybe Prelude.Natural,
+    -- | An IAM policy in JSON format that you want to use as an inline session
+    -- policy.
+    --
+    -- This parameter is optional. Passing policies to this operation returns
+    -- new temporary credentials. The resulting session\'s permissions are the
+    -- intersection of the role\'s identity-based policy and the session
+    -- policies. You can use the role\'s temporary credentials in subsequent
+    -- Amazon Web Services API calls to access resources in the account that
+    -- owns the role. You cannot use session policies to grant more permissions
+    -- than those allowed by the identity-based policy of the role that is
+    -- being assumed. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+    -- in the /IAM User Guide/.
+    --
+    -- The plaintext that you use for both inline and managed session policies
+    -- can\'t exceed 2,048 characters. The JSON policy characters can be any
+    -- ASCII character from the space character to the end of the valid
+    -- character list (\\u0020 through \\u00FF). It can also include the tab
+    -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    policy :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you
+    -- want to use as managed session policies. The policies must exist in the
+    -- same account as the role.
+    --
+    -- This parameter is optional. You can provide up to 10 managed policy
+    -- ARNs. However, the plaintext that you use for both inline and managed
+    -- session policies can\'t exceed 2,048 characters. For more information
+    -- about ARNs, see
+    -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+    -- in the Amazon Web Services General Reference.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    --
+    -- Passing policies to this operation returns new temporary credentials.
+    -- The resulting session\'s permissions are the intersection of the role\'s
+    -- identity-based policy and the session policies. You can use the role\'s
+    -- temporary credentials in subsequent Amazon Web Services API calls to
+    -- access resources in the account that owns the role. You cannot use
+    -- session policies to grant more permissions than those allowed by the
+    -- identity-based policy of the role that is being assumed. For more
+    -- information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+    -- in the /IAM User Guide/.
+    policyArns :: Prelude.Maybe [PolicyDescriptorType],
+    -- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
+    roleArn :: Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the SAML provider in IAM that
+    -- describes the IdP.
+    principalArn :: Prelude.Text,
+    -- | The base64 encoded SAML authentication response provided by the IdP.
+    --
+    -- For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims>
+    -- in the /IAM User Guide/.
+    sAMLAssertion :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssumeRoleWithSAML' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'durationSeconds', 'assumeRoleWithSAML_durationSeconds' - The duration, in seconds, of the role session. Your role session lasts
+-- for the duration that you specify for the @DurationSeconds@ parameter,
+-- or until the time specified in the SAML authentication response\'s
+-- @SessionNotOnOrAfter@ value, whichever is shorter. You can provide a
+-- @DurationSeconds@ value from 900 seconds (15 minutes) up to the maximum
+-- session duration setting for the role. This setting can have a value
+-- from 1 hour to 12 hours. If you specify a value higher than this
+-- setting, the operation fails. For example, if you specify a session
+-- duration of 12 hours, but your administrator set the maximum session
+-- duration to 6 hours, your operation fails. To learn how to view the
+-- maximum value for your role, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+-- in the /IAM User Guide/.
+--
+-- By default, the value is set to @3600@ seconds.
+--
+-- The @DurationSeconds@ parameter is separate from the duration of a
+-- console session that you might request using the returned credentials.
+-- The request to the federation endpoint for a console sign-in token takes
+-- a @SessionDuration@ parameter that specifies the maximum length of the
+-- console session. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+-- in the /IAM User Guide/.
+--
+-- 'policy', 'assumeRoleWithSAML_policy' - An IAM policy in JSON format that you want to use as an inline session
+-- policy.
+--
+-- This parameter is optional. Passing policies to this operation returns
+-- new temporary credentials. The resulting session\'s permissions are the
+-- intersection of the role\'s identity-based policy and the session
+-- policies. You can use the role\'s temporary credentials in subsequent
+-- Amazon Web Services API calls to access resources in the account that
+-- owns the role. You cannot use session policies to grant more permissions
+-- than those allowed by the identity-based policy of the role that is
+-- being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. The JSON policy characters can be any
+-- ASCII character from the space character to the end of the valid
+-- character list (\\u0020 through \\u00FF). It can also include the tab
+-- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- 'policyArns', 'assumeRoleWithSAML_policyArns' - The Amazon Resource Names (ARNs) of the IAM managed policies that you
+-- want to use as managed session policies. The policies must exist in the
+-- same account as the role.
+--
+-- This parameter is optional. You can provide up to 10 managed policy
+-- ARNs. However, the plaintext that you use for both inline and managed
+-- session policies can\'t exceed 2,048 characters. For more information
+-- about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the Amazon Web Services General Reference.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- Passing policies to this operation returns new temporary credentials.
+-- The resulting session\'s permissions are the intersection of the role\'s
+-- identity-based policy and the session policies. You can use the role\'s
+-- temporary credentials in subsequent Amazon Web Services API calls to
+-- access resources in the account that owns the role. You cannot use
+-- session policies to grant more permissions than those allowed by the
+-- identity-based policy of the role that is being assumed. For more
+-- information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- 'roleArn', 'assumeRoleWithSAML_roleArn' - The Amazon Resource Name (ARN) of the role that the caller is assuming.
+--
+-- 'principalArn', 'assumeRoleWithSAML_principalArn' - The Amazon Resource Name (ARN) of the SAML provider in IAM that
+-- describes the IdP.
+--
+-- 'sAMLAssertion', 'assumeRoleWithSAML_sAMLAssertion' - The base64 encoded SAML authentication response provided by the IdP.
+--
+-- For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims>
+-- in the /IAM User Guide/.
+newAssumeRoleWithSAML ::
+  -- | 'roleArn'
+  Prelude.Text ->
+  -- | 'principalArn'
+  Prelude.Text ->
+  -- | 'sAMLAssertion'
+  Prelude.Text ->
+  AssumeRoleWithSAML
+newAssumeRoleWithSAML
+  pRoleArn_
+  pPrincipalArn_
+  pSAMLAssertion_ =
+    AssumeRoleWithSAML'
+      { durationSeconds =
+          Prelude.Nothing,
+        policy = Prelude.Nothing,
+        policyArns = Prelude.Nothing,
+        roleArn = pRoleArn_,
+        principalArn = pPrincipalArn_,
+        sAMLAssertion = pSAMLAssertion_
+      }
+
+-- | The duration, in seconds, of the role session. Your role session lasts
+-- for the duration that you specify for the @DurationSeconds@ parameter,
+-- or until the time specified in the SAML authentication response\'s
+-- @SessionNotOnOrAfter@ value, whichever is shorter. You can provide a
+-- @DurationSeconds@ value from 900 seconds (15 minutes) up to the maximum
+-- session duration setting for the role. This setting can have a value
+-- from 1 hour to 12 hours. If you specify a value higher than this
+-- setting, the operation fails. For example, if you specify a session
+-- duration of 12 hours, but your administrator set the maximum session
+-- duration to 6 hours, your operation fails. To learn how to view the
+-- maximum value for your role, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+-- in the /IAM User Guide/.
+--
+-- By default, the value is set to @3600@ seconds.
+--
+-- The @DurationSeconds@ parameter is separate from the duration of a
+-- console session that you might request using the returned credentials.
+-- The request to the federation endpoint for a console sign-in token takes
+-- a @SessionDuration@ parameter that specifies the maximum length of the
+-- console session. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+-- in the /IAM User Guide/.
+assumeRoleWithSAML_durationSeconds :: Lens.Lens' AssumeRoleWithSAML (Prelude.Maybe Prelude.Natural)
+assumeRoleWithSAML_durationSeconds = Lens.lens (\AssumeRoleWithSAML' {durationSeconds} -> durationSeconds) (\s@AssumeRoleWithSAML' {} a -> s {durationSeconds = a} :: AssumeRoleWithSAML)
+
+-- | An IAM policy in JSON format that you want to use as an inline session
+-- policy.
+--
+-- This parameter is optional. Passing policies to this operation returns
+-- new temporary credentials. The resulting session\'s permissions are the
+-- intersection of the role\'s identity-based policy and the session
+-- policies. You can use the role\'s temporary credentials in subsequent
+-- Amazon Web Services API calls to access resources in the account that
+-- owns the role. You cannot use session policies to grant more permissions
+-- than those allowed by the identity-based policy of the role that is
+-- being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. The JSON policy characters can be any
+-- ASCII character from the space character to the end of the valid
+-- character list (\\u0020 through \\u00FF). It can also include the tab
+-- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+assumeRoleWithSAML_policy :: Lens.Lens' AssumeRoleWithSAML (Prelude.Maybe Prelude.Text)
+assumeRoleWithSAML_policy = Lens.lens (\AssumeRoleWithSAML' {policy} -> policy) (\s@AssumeRoleWithSAML' {} a -> s {policy = a} :: AssumeRoleWithSAML)
+
+-- | The Amazon Resource Names (ARNs) of the IAM managed policies that you
+-- want to use as managed session policies. The policies must exist in the
+-- same account as the role.
+--
+-- This parameter is optional. You can provide up to 10 managed policy
+-- ARNs. However, the plaintext that you use for both inline and managed
+-- session policies can\'t exceed 2,048 characters. For more information
+-- about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the Amazon Web Services General Reference.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- Passing policies to this operation returns new temporary credentials.
+-- The resulting session\'s permissions are the intersection of the role\'s
+-- identity-based policy and the session policies. You can use the role\'s
+-- temporary credentials in subsequent Amazon Web Services API calls to
+-- access resources in the account that owns the role. You cannot use
+-- session policies to grant more permissions than those allowed by the
+-- identity-based policy of the role that is being assumed. For more
+-- information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+assumeRoleWithSAML_policyArns :: Lens.Lens' AssumeRoleWithSAML (Prelude.Maybe [PolicyDescriptorType])
+assumeRoleWithSAML_policyArns = Lens.lens (\AssumeRoleWithSAML' {policyArns} -> policyArns) (\s@AssumeRoleWithSAML' {} a -> s {policyArns = a} :: AssumeRoleWithSAML) Prelude.. Lens.mapping Lens.coerced
+
+-- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
+assumeRoleWithSAML_roleArn :: Lens.Lens' AssumeRoleWithSAML Prelude.Text
+assumeRoleWithSAML_roleArn = Lens.lens (\AssumeRoleWithSAML' {roleArn} -> roleArn) (\s@AssumeRoleWithSAML' {} a -> s {roleArn = a} :: AssumeRoleWithSAML)
+
+-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that
+-- describes the IdP.
+assumeRoleWithSAML_principalArn :: Lens.Lens' AssumeRoleWithSAML Prelude.Text
+assumeRoleWithSAML_principalArn = Lens.lens (\AssumeRoleWithSAML' {principalArn} -> principalArn) (\s@AssumeRoleWithSAML' {} a -> s {principalArn = a} :: AssumeRoleWithSAML)
+
+-- | The base64 encoded SAML authentication response provided by the IdP.
+--
+-- For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims>
+-- in the /IAM User Guide/.
+assumeRoleWithSAML_sAMLAssertion :: Lens.Lens' AssumeRoleWithSAML Prelude.Text
+assumeRoleWithSAML_sAMLAssertion = Lens.lens (\AssumeRoleWithSAML' {sAMLAssertion} -> sAMLAssertion) (\s@AssumeRoleWithSAML' {} a -> s {sAMLAssertion = a} :: AssumeRoleWithSAML)
+
+instance Core.AWSRequest AssumeRoleWithSAML where
+  type
+    AWSResponse AssumeRoleWithSAML =
+      AssumeRoleWithSAMLResponse
+  request overrides =
+    Request.postQuery (overrides defaultService)
+  response =
+    Response.receiveXMLWrapper
+      "AssumeRoleWithSAMLResult"
+      ( \s h x ->
+          AssumeRoleWithSAMLResponse'
+            Prelude.<$> (x Data..@? "AssumedRoleUser")
+            Prelude.<*> (x Data..@? "Audience")
+            Prelude.<*> (x Data..@? "Credentials")
+            Prelude.<*> (x Data..@? "Issuer")
+            Prelude.<*> (x Data..@? "NameQualifier")
+            Prelude.<*> (x Data..@? "PackedPolicySize")
+            Prelude.<*> (x Data..@? "SourceIdentity")
+            Prelude.<*> (x Data..@? "Subject")
+            Prelude.<*> (x Data..@? "SubjectType")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable AssumeRoleWithSAML where
+  hashWithSalt _salt AssumeRoleWithSAML' {..} =
+    _salt
+      `Prelude.hashWithSalt` durationSeconds
+      `Prelude.hashWithSalt` policy
+      `Prelude.hashWithSalt` policyArns
+      `Prelude.hashWithSalt` roleArn
+      `Prelude.hashWithSalt` principalArn
+      `Prelude.hashWithSalt` sAMLAssertion
+
+instance Prelude.NFData AssumeRoleWithSAML where
+  rnf AssumeRoleWithSAML' {..} =
+    Prelude.rnf durationSeconds
+      `Prelude.seq` Prelude.rnf policy
+      `Prelude.seq` Prelude.rnf policyArns
+      `Prelude.seq` Prelude.rnf roleArn
+      `Prelude.seq` Prelude.rnf principalArn
+      `Prelude.seq` Prelude.rnf sAMLAssertion
+
+instance Data.ToHeaders AssumeRoleWithSAML where
+  toHeaders = Prelude.const Prelude.mempty
+
+instance Data.ToPath AssumeRoleWithSAML where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery AssumeRoleWithSAML where
+  toQuery AssumeRoleWithSAML' {..} =
+    Prelude.mconcat
+      [ "Action"
+          Data.=: ("AssumeRoleWithSAML" :: Prelude.ByteString),
+        "Version"
+          Data.=: ("2011-06-15" :: Prelude.ByteString),
+        "DurationSeconds" Data.=: durationSeconds,
+        "Policy" Data.=: policy,
+        "PolicyArns"
+          Data.=: Data.toQuery
+            (Data.toQueryList "member" Prelude.<$> policyArns),
+        "RoleArn" Data.=: roleArn,
+        "PrincipalArn" Data.=: principalArn,
+        "SAMLAssertion" Data.=: sAMLAssertion
+      ]
+
+-- | Contains the response to a successful AssumeRoleWithSAML request,
+-- including temporary Amazon Web Services credentials that can be used to
+-- make Amazon Web Services requests.
+--
+-- /See:/ 'newAssumeRoleWithSAMLResponse' smart constructor.
+data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse'
+  { -- | The identifiers for the temporary security credentials that the
+    -- operation returns.
+    assumedRoleUser :: Prelude.Maybe AssumedRoleUser,
+    -- | The value of the @Recipient@ attribute of the @SubjectConfirmationData@
+    -- element of the SAML assertion.
+    audience :: Prelude.Maybe Prelude.Text,
+    -- | The temporary security credentials, which include an access key ID, a
+    -- secret access key, and a security (or session) token.
+    --
+    -- The size of the security token that STS API operations return is not
+    -- fixed. We strongly recommend that you make no assumptions about the
+    -- maximum size.
+    credentials :: Prelude.Maybe Core.AuthEnv,
+    -- | The value of the @Issuer@ element of the SAML assertion.
+    issuer :: Prelude.Maybe Prelude.Text,
+    -- | A hash value based on the concatenation of the following:
+    --
+    -- -   The @Issuer@ response value.
+    --
+    -- -   The Amazon Web Services account ID.
+    --
+    -- -   The friendly name (the last part of the ARN) of the SAML provider in
+    --     IAM.
+    --
+    -- The combination of @NameQualifier@ and @Subject@ can be used to uniquely
+    -- identify a federated user.
+    --
+    -- The following pseudocode shows how the hash value is calculated:
+    --
+    -- @BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )@
+    nameQualifier :: Prelude.Maybe Prelude.Text,
+    -- | A percentage value that indicates the packed size of the session
+    -- policies and session tags combined passed in the request. The request
+    -- fails if the packed size is greater than 100 percent, which means the
+    -- policies and tags exceeded the allowed space.
+    packedPolicySize :: Prelude.Maybe Prelude.Natural,
+    -- | The value in the @SourceIdentity@ attribute in the SAML assertion.
+    --
+    -- You can require users to set a source identity value when they assume a
+    -- role. You do this by using the @sts:SourceIdentity@ condition key in a
+    -- role trust policy. That way, actions that are taken with the role are
+    -- associated with that user. After the source identity is set, the value
+    -- cannot be changed. It is present in the request for all actions that are
+    -- taken by the role and persists across
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role>
+    -- sessions. You can configure your SAML identity provider to use an
+    -- attribute associated with your users, like user name or email, as the
+    -- source identity when calling @AssumeRoleWithSAML@. You do this by adding
+    -- an attribute to the SAML assertion. For more information about using
+    -- source identity, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+    -- in the /IAM User Guide/.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@-
+    sourceIdentity :: Prelude.Maybe Prelude.Text,
+    -- | The value of the @NameID@ element in the @Subject@ element of the SAML
+    -- assertion.
+    subject :: Prelude.Maybe Prelude.Text,
+    -- | The format of the name ID, as defined by the @Format@ attribute in the
+    -- @NameID@ element of the SAML assertion. Typical examples of the format
+    -- are @transient@ or @persistent@.
+    --
+    -- If the format includes the prefix
+    -- @urn:oasis:names:tc:SAML:2.0:nameid-format@, that prefix is removed. For
+    -- example, @urn:oasis:names:tc:SAML:2.0:nameid-format:transient@ is
+    -- returned as @transient@. If the format includes any other prefix, the
+    -- format is returned with no modifications.
+    subjectType :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssumeRoleWithSAMLResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'assumedRoleUser', 'assumeRoleWithSAMLResponse_assumedRoleUser' - The identifiers for the temporary security credentials that the
+-- operation returns.
+--
+-- 'audience', 'assumeRoleWithSAMLResponse_audience' - The value of the @Recipient@ attribute of the @SubjectConfirmationData@
+-- element of the SAML assertion.
+--
+-- 'credentials', 'assumeRoleWithSAMLResponse_credentials' - The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+--
+-- 'issuer', 'assumeRoleWithSAMLResponse_issuer' - The value of the @Issuer@ element of the SAML assertion.
+--
+-- 'nameQualifier', 'assumeRoleWithSAMLResponse_nameQualifier' - A hash value based on the concatenation of the following:
+--
+-- -   The @Issuer@ response value.
+--
+-- -   The Amazon Web Services account ID.
+--
+-- -   The friendly name (the last part of the ARN) of the SAML provider in
+--     IAM.
+--
+-- The combination of @NameQualifier@ and @Subject@ can be used to uniquely
+-- identify a federated user.
+--
+-- The following pseudocode shows how the hash value is calculated:
+--
+-- @BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )@
+--
+-- 'packedPolicySize', 'assumeRoleWithSAMLResponse_packedPolicySize' - A percentage value that indicates the packed size of the session
+-- policies and session tags combined passed in the request. The request
+-- fails if the packed size is greater than 100 percent, which means the
+-- policies and tags exceeded the allowed space.
+--
+-- 'sourceIdentity', 'assumeRoleWithSAMLResponse_sourceIdentity' - The value in the @SourceIdentity@ attribute in the SAML assertion.
+--
+-- You can require users to set a source identity value when they assume a
+-- role. You do this by using the @sts:SourceIdentity@ condition key in a
+-- role trust policy. That way, actions that are taken with the role are
+-- associated with that user. After the source identity is set, the value
+-- cannot be changed. It is present in the request for all actions that are
+-- taken by the role and persists across
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role>
+-- sessions. You can configure your SAML identity provider to use an
+-- attribute associated with your users, like user name or email, as the
+-- source identity when calling @AssumeRoleWithSAML@. You do this by adding
+-- an attribute to the SAML assertion. For more information about using
+-- source identity, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+--
+-- 'subject', 'assumeRoleWithSAMLResponse_subject' - The value of the @NameID@ element in the @Subject@ element of the SAML
+-- assertion.
+--
+-- 'subjectType', 'assumeRoleWithSAMLResponse_subjectType' - The format of the name ID, as defined by the @Format@ attribute in the
+-- @NameID@ element of the SAML assertion. Typical examples of the format
+-- are @transient@ or @persistent@.
+--
+-- If the format includes the prefix
+-- @urn:oasis:names:tc:SAML:2.0:nameid-format@, that prefix is removed. For
+-- example, @urn:oasis:names:tc:SAML:2.0:nameid-format:transient@ is
+-- returned as @transient@. If the format includes any other prefix, the
+-- format is returned with no modifications.
+--
+-- 'httpStatus', 'assumeRoleWithSAMLResponse_httpStatus' - The response's http status code.
+newAssumeRoleWithSAMLResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  AssumeRoleWithSAMLResponse
+newAssumeRoleWithSAMLResponse pHttpStatus_ =
+  AssumeRoleWithSAMLResponse'
+    { assumedRoleUser =
+        Prelude.Nothing,
+      audience = Prelude.Nothing,
+      credentials = Prelude.Nothing,
+      issuer = Prelude.Nothing,
+      nameQualifier = Prelude.Nothing,
+      packedPolicySize = Prelude.Nothing,
+      sourceIdentity = Prelude.Nothing,
+      subject = Prelude.Nothing,
+      subjectType = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The identifiers for the temporary security credentials that the
+-- operation returns.
+assumeRoleWithSAMLResponse_assumedRoleUser :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe AssumedRoleUser)
+assumeRoleWithSAMLResponse_assumedRoleUser = Lens.lens (\AssumeRoleWithSAMLResponse' {assumedRoleUser} -> assumedRoleUser) (\s@AssumeRoleWithSAMLResponse' {} a -> s {assumedRoleUser = a} :: AssumeRoleWithSAMLResponse)
+
+-- | The value of the @Recipient@ attribute of the @SubjectConfirmationData@
+-- element of the SAML assertion.
+assumeRoleWithSAMLResponse_audience :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithSAMLResponse_audience = Lens.lens (\AssumeRoleWithSAMLResponse' {audience} -> audience) (\s@AssumeRoleWithSAMLResponse' {} a -> s {audience = a} :: AssumeRoleWithSAMLResponse)
+
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+assumeRoleWithSAMLResponse_credentials :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Core.AuthEnv)
+assumeRoleWithSAMLResponse_credentials = Lens.lens (\AssumeRoleWithSAMLResponse' {credentials} -> credentials) (\s@AssumeRoleWithSAMLResponse' {} a -> s {credentials = a} :: AssumeRoleWithSAMLResponse)
+
+-- | The value of the @Issuer@ element of the SAML assertion.
+assumeRoleWithSAMLResponse_issuer :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithSAMLResponse_issuer = Lens.lens (\AssumeRoleWithSAMLResponse' {issuer} -> issuer) (\s@AssumeRoleWithSAMLResponse' {} a -> s {issuer = a} :: AssumeRoleWithSAMLResponse)
+
+-- | A hash value based on the concatenation of the following:
+--
+-- -   The @Issuer@ response value.
+--
+-- -   The Amazon Web Services account ID.
+--
+-- -   The friendly name (the last part of the ARN) of the SAML provider in
+--     IAM.
+--
+-- The combination of @NameQualifier@ and @Subject@ can be used to uniquely
+-- identify a federated user.
+--
+-- The following pseudocode shows how the hash value is calculated:
+--
+-- @BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )@
+assumeRoleWithSAMLResponse_nameQualifier :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithSAMLResponse_nameQualifier = Lens.lens (\AssumeRoleWithSAMLResponse' {nameQualifier} -> nameQualifier) (\s@AssumeRoleWithSAMLResponse' {} a -> s {nameQualifier = a} :: AssumeRoleWithSAMLResponse)
+
+-- | A percentage value that indicates the packed size of the session
+-- policies and session tags combined passed in the request. The request
+-- fails if the packed size is greater than 100 percent, which means the
+-- policies and tags exceeded the allowed space.
+assumeRoleWithSAMLResponse_packedPolicySize :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Natural)
+assumeRoleWithSAMLResponse_packedPolicySize = Lens.lens (\AssumeRoleWithSAMLResponse' {packedPolicySize} -> packedPolicySize) (\s@AssumeRoleWithSAMLResponse' {} a -> s {packedPolicySize = a} :: AssumeRoleWithSAMLResponse)
+
+-- | The value in the @SourceIdentity@ attribute in the SAML assertion.
+--
+-- You can require users to set a source identity value when they assume a
+-- role. You do this by using the @sts:SourceIdentity@ condition key in a
+-- role trust policy. That way, actions that are taken with the role are
+-- associated with that user. After the source identity is set, the value
+-- cannot be changed. It is present in the request for all actions that are
+-- taken by the role and persists across
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role>
+-- sessions. You can configure your SAML identity provider to use an
+-- attribute associated with your users, like user name or email, as the
+-- source identity when calling @AssumeRoleWithSAML@. You do this by adding
+-- an attribute to the SAML assertion. For more information about using
+-- source identity, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+assumeRoleWithSAMLResponse_sourceIdentity :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithSAMLResponse_sourceIdentity = Lens.lens (\AssumeRoleWithSAMLResponse' {sourceIdentity} -> sourceIdentity) (\s@AssumeRoleWithSAMLResponse' {} a -> s {sourceIdentity = a} :: AssumeRoleWithSAMLResponse)
+
+-- | The value of the @NameID@ element in the @Subject@ element of the SAML
+-- assertion.
+assumeRoleWithSAMLResponse_subject :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithSAMLResponse_subject = Lens.lens (\AssumeRoleWithSAMLResponse' {subject} -> subject) (\s@AssumeRoleWithSAMLResponse' {} a -> s {subject = a} :: AssumeRoleWithSAMLResponse)
+
+-- | The format of the name ID, as defined by the @Format@ attribute in the
+-- @NameID@ element of the SAML assertion. Typical examples of the format
+-- are @transient@ or @persistent@.
+--
+-- If the format includes the prefix
+-- @urn:oasis:names:tc:SAML:2.0:nameid-format@, that prefix is removed. For
+-- example, @urn:oasis:names:tc:SAML:2.0:nameid-format:transient@ is
+-- returned as @transient@. If the format includes any other prefix, the
+-- format is returned with no modifications.
+assumeRoleWithSAMLResponse_subjectType :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithSAMLResponse_subjectType = Lens.lens (\AssumeRoleWithSAMLResponse' {subjectType} -> subjectType) (\s@AssumeRoleWithSAMLResponse' {} a -> s {subjectType = a} :: AssumeRoleWithSAMLResponse)
+
+-- | The response's http status code.
+assumeRoleWithSAMLResponse_httpStatus :: Lens.Lens' AssumeRoleWithSAMLResponse Prelude.Int
+assumeRoleWithSAMLResponse_httpStatus = Lens.lens (\AssumeRoleWithSAMLResponse' {httpStatus} -> httpStatus) (\s@AssumeRoleWithSAMLResponse' {} a -> s {httpStatus = a} :: AssumeRoleWithSAMLResponse)
+
+instance Prelude.NFData AssumeRoleWithSAMLResponse where
+  rnf AssumeRoleWithSAMLResponse' {..} =
+    Prelude.rnf assumedRoleUser
+      `Prelude.seq` Prelude.rnf audience
+      `Prelude.seq` Prelude.rnf credentials
+      `Prelude.seq` Prelude.rnf issuer
+      `Prelude.seq` Prelude.rnf nameQualifier
+      `Prelude.seq` Prelude.rnf packedPolicySize
+      `Prelude.seq` Prelude.rnf sourceIdentity
+      `Prelude.seq` Prelude.rnf subject
+      `Prelude.seq` Prelude.rnf subjectType
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/STS/AssumeRoleWithWebIdentity.hs b/gen/Amazonka/STS/AssumeRoleWithWebIdentity.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/AssumeRoleWithWebIdentity.hs
@@ -0,0 +1,915 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.AssumeRoleWithWebIdentity
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns a set of temporary security credentials for users who have been
+-- authenticated in a mobile or web application with a web identity
+-- provider. Example providers include the OAuth 2.0 providers Login with
+-- Amazon and Facebook, or any OpenID Connect-compatible identity provider
+-- such as Google or
+-- <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html Amazon Cognito federated identities>.
+--
+-- For mobile applications, we recommend that you use Amazon Cognito. You
+-- can use Amazon Cognito with the
+-- <http://aws.amazon.com/sdkforios/ Amazon Web Services SDK for iOS Developer Guide>
+-- and the
+-- <http://aws.amazon.com/sdkforandroid/ Amazon Web Services SDK for Android Developer Guide>
+-- to uniquely identify a user. You can also supply the user with a
+-- consistent identity throughout the lifetime of an application.
+--
+-- To learn more about Amazon Cognito, see
+-- <https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview>
+-- in /Amazon Web Services SDK for Android Developer Guide/ and
+-- <https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview>
+-- in the /Amazon Web Services SDK for iOS Developer Guide/.
+--
+-- Calling @AssumeRoleWithWebIdentity@ does not require the use of Amazon
+-- Web Services security credentials. Therefore, you can distribute an
+-- application (for example, on mobile devices) that requests temporary
+-- security credentials without including long-term Amazon Web Services
+-- credentials in the application. You also don\'t need to deploy
+-- server-based proxy services that use long-term Amazon Web Services
+-- credentials. Instead, the identity of the caller is validated by using a
+-- token from the web identity provider. For a comparison of
+-- @AssumeRoleWithWebIdentity@ with the other API operations that produce
+-- temporary credentials, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the Amazon Web Services STS API operations>
+-- in the /IAM User Guide/.
+--
+-- The temporary security credentials returned by this API consist of an
+-- access key ID, a secret access key, and a security token. Applications
+-- can use these temporary security credentials to sign calls to Amazon Web
+-- Services service API operations.
+--
+-- __Session Duration__
+--
+-- By default, the temporary security credentials created by
+-- @AssumeRoleWithWebIdentity@ last for one hour. However, you can use the
+-- optional @DurationSeconds@ parameter to specify the duration of your
+-- session. You can provide a value from 900 seconds (15 minutes) up to the
+-- maximum session duration setting for the role. This setting can have a
+-- value from 1 hour to 12 hours. To learn how to view the maximum value
+-- for your role, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+-- in the /IAM User Guide/. The maximum session duration limit applies when
+-- you use the @AssumeRole*@ API operations or the @assume-role*@ CLI
+-- commands. However the limit does not apply when you use those operations
+-- to create a console URL. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html Using IAM Roles>
+-- in the /IAM User Guide/.
+--
+-- __Permissions__
+--
+-- The temporary security credentials created by
+-- @AssumeRoleWithWebIdentity@ can be used to make API calls to any Amazon
+-- Web Services service with the following exception: you cannot call the
+-- STS @GetFederationToken@ or @GetSessionToken@ API operations.
+--
+-- (Optional) You can pass inline or managed
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policies>
+-- to this operation. You can pass a single JSON policy document to use as
+-- an inline session policy. You can also specify up to 10 managed policy
+-- Amazon Resource Names (ARNs) to use as managed session policies. The
+-- plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. Passing policies to this operation
+-- returns new temporary credentials. The resulting session\'s permissions
+-- are the intersection of the role\'s identity-based policy and the
+-- session policies. You can use the role\'s temporary credentials in
+-- subsequent Amazon Web Services API calls to access resources in the
+-- account that owns the role. You cannot use session policies to grant
+-- more permissions than those allowed by the identity-based policy of the
+-- role that is being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- __Tags__
+--
+-- (Optional) You can configure your IdP to pass attributes into your web
+-- identity token as session tags. Each session tag consists of a key name
+-- and an associated value. For more information about session tags, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS>
+-- in the /IAM User Guide/.
+--
+-- You can pass up to 50 session tags. The plaintext session tag keys can’t
+-- exceed 128 characters and the values can’t exceed 256 characters. For
+-- these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- You can pass a session tag with the same key as a tag that is attached
+-- to the role. When you do, the session tag overrides the role tag with
+-- the same key.
+--
+-- An administrator must grant you the permissions necessary to pass
+-- session tags. The administrator can also create granular permissions to
+-- allow you to pass only specific session tags. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html Tutorial: Using Tags for Attribute-Based Access Control>
+-- in the /IAM User Guide/.
+--
+-- You can set the session tags as transitive. Transitive tags persist
+-- during role chaining. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags>
+-- in the /IAM User Guide/.
+--
+-- __Identities__
+--
+-- Before your application can call @AssumeRoleWithWebIdentity@, you must
+-- have an identity token from a supported identity provider and create a
+-- role that the application can assume. The role that your application
+-- assumes must trust the identity provider that is associated with the
+-- identity token. In other words, the identity provider must be specified
+-- in the role\'s trust policy.
+--
+-- Calling @AssumeRoleWithWebIdentity@ can result in an entry in your
+-- CloudTrail logs. The entry includes the
+-- <http://openid.net/specs/openid-connect-core-1_0.html#Claims Subject> of
+-- the provided web identity token. We recommend that you avoid using any
+-- personally identifiable information (PII) in this field. For example,
+-- you could instead use a GUID or a pairwise identifier, as
+-- <http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes suggested in the OIDC specification>.
+--
+-- For more information about how to use web identity federation and the
+-- @AssumeRoleWithWebIdentity@ API, see the following resources:
+--
+-- -   <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html Using Web Identity Federation API Operations for Mobile Apps>
+--     and
+--     <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider>.
+--
+-- -   <https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/ Web Identity Federation Playground>.
+--     Walk through the process of authenticating through Login with
+--     Amazon, Facebook, or Google, getting temporary security credentials,
+--     and then using those credentials to make a request to Amazon Web
+--     Services.
+--
+-- -   <http://aws.amazon.com/sdkforios/ Amazon Web Services SDK for iOS Developer Guide>
+--     and
+--     <http://aws.amazon.com/sdkforandroid/ Amazon Web Services SDK for Android Developer Guide>.
+--     These toolkits contain sample apps that show how to invoke the
+--     identity providers. The toolkits then show how to use the
+--     information from these providers to get and use temporary security
+--     credentials.
+--
+-- -   <http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications Web Identity Federation with Mobile Applications>.
+--     This article discusses web identity federation and shows an example
+--     of how to use web identity federation to get access to content in
+--     Amazon S3.
+module Amazonka.STS.AssumeRoleWithWebIdentity
+  ( -- * Creating a Request
+    AssumeRoleWithWebIdentity (..),
+    newAssumeRoleWithWebIdentity,
+
+    -- * Request Lenses
+    assumeRoleWithWebIdentity_durationSeconds,
+    assumeRoleWithWebIdentity_policy,
+    assumeRoleWithWebIdentity_policyArns,
+    assumeRoleWithWebIdentity_providerId,
+    assumeRoleWithWebIdentity_roleArn,
+    assumeRoleWithWebIdentity_roleSessionName,
+    assumeRoleWithWebIdentity_webIdentityToken,
+
+    -- * Destructuring the Response
+    AssumeRoleWithWebIdentityResponse (..),
+    newAssumeRoleWithWebIdentityResponse,
+
+    -- * Response Lenses
+    assumeRoleWithWebIdentityResponse_assumedRoleUser,
+    assumeRoleWithWebIdentityResponse_audience,
+    assumeRoleWithWebIdentityResponse_packedPolicySize,
+    assumeRoleWithWebIdentityResponse_provider,
+    assumeRoleWithWebIdentityResponse_sourceIdentity,
+    assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken,
+    assumeRoleWithWebIdentityResponse_httpStatus,
+    assumeRoleWithWebIdentityResponse_credentials,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+import Amazonka.STS.Types
+
+-- | /See:/ 'newAssumeRoleWithWebIdentity' smart constructor.
+data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity'
+  { -- | The duration, in seconds, of the role session. The value can range from
+    -- 900 seconds (15 minutes) up to the maximum session duration setting for
+    -- the role. This setting can have a value from 1 hour to 12 hours. If you
+    -- specify a value higher than this setting, the operation fails. For
+    -- example, if you specify a session duration of 12 hours, but your
+    -- administrator set the maximum session duration to 6 hours, your
+    -- operation fails. To learn how to view the maximum value for your role,
+    -- see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+    -- in the /IAM User Guide/.
+    --
+    -- By default, the value is set to @3600@ seconds.
+    --
+    -- The @DurationSeconds@ parameter is separate from the duration of a
+    -- console session that you might request using the returned credentials.
+    -- The request to the federation endpoint for a console sign-in token takes
+    -- a @SessionDuration@ parameter that specifies the maximum length of the
+    -- console session. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+    -- in the /IAM User Guide/.
+    durationSeconds :: Prelude.Maybe Prelude.Natural,
+    -- | An IAM policy in JSON format that you want to use as an inline session
+    -- policy.
+    --
+    -- This parameter is optional. Passing policies to this operation returns
+    -- new temporary credentials. The resulting session\'s permissions are the
+    -- intersection of the role\'s identity-based policy and the session
+    -- policies. You can use the role\'s temporary credentials in subsequent
+    -- Amazon Web Services API calls to access resources in the account that
+    -- owns the role. You cannot use session policies to grant more permissions
+    -- than those allowed by the identity-based policy of the role that is
+    -- being assumed. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+    -- in the /IAM User Guide/.
+    --
+    -- The plaintext that you use for both inline and managed session policies
+    -- can\'t exceed 2,048 characters. The JSON policy characters can be any
+    -- ASCII character from the space character to the end of the valid
+    -- character list (\\u0020 through \\u00FF). It can also include the tab
+    -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    policy :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you
+    -- want to use as managed session policies. The policies must exist in the
+    -- same account as the role.
+    --
+    -- This parameter is optional. You can provide up to 10 managed policy
+    -- ARNs. However, the plaintext that you use for both inline and managed
+    -- session policies can\'t exceed 2,048 characters. For more information
+    -- about ARNs, see
+    -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+    -- in the Amazon Web Services General Reference.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    --
+    -- Passing policies to this operation returns new temporary credentials.
+    -- The resulting session\'s permissions are the intersection of the role\'s
+    -- identity-based policy and the session policies. You can use the role\'s
+    -- temporary credentials in subsequent Amazon Web Services API calls to
+    -- access resources in the account that owns the role. You cannot use
+    -- session policies to grant more permissions than those allowed by the
+    -- identity-based policy of the role that is being assumed. For more
+    -- information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+    -- in the /IAM User Guide/.
+    policyArns :: Prelude.Maybe [PolicyDescriptorType],
+    -- | The fully qualified host component of the domain name of the OAuth 2.0
+    -- identity provider. Do not specify this value for an OpenID Connect
+    -- identity provider.
+    --
+    -- Currently @www.amazon.com@ and @graph.facebook.com@ are the only
+    -- supported identity providers for OAuth 2.0 access tokens. Do not include
+    -- URL schemes and port numbers.
+    --
+    -- Do not specify this value for OpenID Connect ID tokens.
+    providerId :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
+    roleArn :: Prelude.Text,
+    -- | An identifier for the assumed role session. Typically, you pass the name
+    -- or identifier that is associated with the user who is using your
+    -- application. That way, the temporary security credentials that your
+    -- application will use are associated with that user. This session name is
+    -- included as part of the ARN and assumed role ID in the @AssumedRoleUser@
+    -- response element.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@-
+    roleSessionName :: Prelude.Text,
+    -- | The OAuth 2.0 access token or OpenID Connect ID token that is provided
+    -- by the identity provider. Your application must get this token by
+    -- authenticating the user who is using your application with a web
+    -- identity provider before the application makes an
+    -- @AssumeRoleWithWebIdentity@ call.
+    webIdentityToken :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssumeRoleWithWebIdentity' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'durationSeconds', 'assumeRoleWithWebIdentity_durationSeconds' - The duration, in seconds, of the role session. The value can range from
+-- 900 seconds (15 minutes) up to the maximum session duration setting for
+-- the role. This setting can have a value from 1 hour to 12 hours. If you
+-- specify a value higher than this setting, the operation fails. For
+-- example, if you specify a session duration of 12 hours, but your
+-- administrator set the maximum session duration to 6 hours, your
+-- operation fails. To learn how to view the maximum value for your role,
+-- see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+-- in the /IAM User Guide/.
+--
+-- By default, the value is set to @3600@ seconds.
+--
+-- The @DurationSeconds@ parameter is separate from the duration of a
+-- console session that you might request using the returned credentials.
+-- The request to the federation endpoint for a console sign-in token takes
+-- a @SessionDuration@ parameter that specifies the maximum length of the
+-- console session. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+-- in the /IAM User Guide/.
+--
+-- 'policy', 'assumeRoleWithWebIdentity_policy' - An IAM policy in JSON format that you want to use as an inline session
+-- policy.
+--
+-- This parameter is optional. Passing policies to this operation returns
+-- new temporary credentials. The resulting session\'s permissions are the
+-- intersection of the role\'s identity-based policy and the session
+-- policies. You can use the role\'s temporary credentials in subsequent
+-- Amazon Web Services API calls to access resources in the account that
+-- owns the role. You cannot use session policies to grant more permissions
+-- than those allowed by the identity-based policy of the role that is
+-- being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. The JSON policy characters can be any
+-- ASCII character from the space character to the end of the valid
+-- character list (\\u0020 through \\u00FF). It can also include the tab
+-- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- 'policyArns', 'assumeRoleWithWebIdentity_policyArns' - The Amazon Resource Names (ARNs) of the IAM managed policies that you
+-- want to use as managed session policies. The policies must exist in the
+-- same account as the role.
+--
+-- This parameter is optional. You can provide up to 10 managed policy
+-- ARNs. However, the plaintext that you use for both inline and managed
+-- session policies can\'t exceed 2,048 characters. For more information
+-- about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the Amazon Web Services General Reference.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- Passing policies to this operation returns new temporary credentials.
+-- The resulting session\'s permissions are the intersection of the role\'s
+-- identity-based policy and the session policies. You can use the role\'s
+-- temporary credentials in subsequent Amazon Web Services API calls to
+-- access resources in the account that owns the role. You cannot use
+-- session policies to grant more permissions than those allowed by the
+-- identity-based policy of the role that is being assumed. For more
+-- information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- 'providerId', 'assumeRoleWithWebIdentity_providerId' - The fully qualified host component of the domain name of the OAuth 2.0
+-- identity provider. Do not specify this value for an OpenID Connect
+-- identity provider.
+--
+-- Currently @www.amazon.com@ and @graph.facebook.com@ are the only
+-- supported identity providers for OAuth 2.0 access tokens. Do not include
+-- URL schemes and port numbers.
+--
+-- Do not specify this value for OpenID Connect ID tokens.
+--
+-- 'roleArn', 'assumeRoleWithWebIdentity_roleArn' - The Amazon Resource Name (ARN) of the role that the caller is assuming.
+--
+-- 'roleSessionName', 'assumeRoleWithWebIdentity_roleSessionName' - An identifier for the assumed role session. Typically, you pass the name
+-- or identifier that is associated with the user who is using your
+-- application. That way, the temporary security credentials that your
+-- application will use are associated with that user. This session name is
+-- included as part of the ARN and assumed role ID in the @AssumedRoleUser@
+-- response element.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+--
+-- 'webIdentityToken', 'assumeRoleWithWebIdentity_webIdentityToken' - The OAuth 2.0 access token or OpenID Connect ID token that is provided
+-- by the identity provider. Your application must get this token by
+-- authenticating the user who is using your application with a web
+-- identity provider before the application makes an
+-- @AssumeRoleWithWebIdentity@ call.
+newAssumeRoleWithWebIdentity ::
+  -- | 'roleArn'
+  Prelude.Text ->
+  -- | 'roleSessionName'
+  Prelude.Text ->
+  -- | 'webIdentityToken'
+  Prelude.Text ->
+  AssumeRoleWithWebIdentity
+newAssumeRoleWithWebIdentity
+  pRoleArn_
+  pRoleSessionName_
+  pWebIdentityToken_ =
+    AssumeRoleWithWebIdentity'
+      { durationSeconds =
+          Prelude.Nothing,
+        policy = Prelude.Nothing,
+        policyArns = Prelude.Nothing,
+        providerId = Prelude.Nothing,
+        roleArn = pRoleArn_,
+        roleSessionName = pRoleSessionName_,
+        webIdentityToken = pWebIdentityToken_
+      }
+
+-- | The duration, in seconds, of the role session. The value can range from
+-- 900 seconds (15 minutes) up to the maximum session duration setting for
+-- the role. This setting can have a value from 1 hour to 12 hours. If you
+-- specify a value higher than this setting, the operation fails. For
+-- example, if you specify a session duration of 12 hours, but your
+-- administrator set the maximum session duration to 6 hours, your
+-- operation fails. To learn how to view the maximum value for your role,
+-- see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role>
+-- in the /IAM User Guide/.
+--
+-- By default, the value is set to @3600@ seconds.
+--
+-- The @DurationSeconds@ parameter is separate from the duration of a
+-- console session that you might request using the returned credentials.
+-- The request to the federation endpoint for a console sign-in token takes
+-- a @SessionDuration@ parameter that specifies the maximum length of the
+-- console session. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console>
+-- in the /IAM User Guide/.
+assumeRoleWithWebIdentity_durationSeconds :: Lens.Lens' AssumeRoleWithWebIdentity (Prelude.Maybe Prelude.Natural)
+assumeRoleWithWebIdentity_durationSeconds = Lens.lens (\AssumeRoleWithWebIdentity' {durationSeconds} -> durationSeconds) (\s@AssumeRoleWithWebIdentity' {} a -> s {durationSeconds = a} :: AssumeRoleWithWebIdentity)
+
+-- | An IAM policy in JSON format that you want to use as an inline session
+-- policy.
+--
+-- This parameter is optional. Passing policies to this operation returns
+-- new temporary credentials. The resulting session\'s permissions are the
+-- intersection of the role\'s identity-based policy and the session
+-- policies. You can use the role\'s temporary credentials in subsequent
+-- Amazon Web Services API calls to access resources in the account that
+-- owns the role. You cannot use session policies to grant more permissions
+-- than those allowed by the identity-based policy of the role that is
+-- being assumed. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. The JSON policy characters can be any
+-- ASCII character from the space character to the end of the valid
+-- character list (\\u0020 through \\u00FF). It can also include the tab
+-- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+assumeRoleWithWebIdentity_policy :: Lens.Lens' AssumeRoleWithWebIdentity (Prelude.Maybe Prelude.Text)
+assumeRoleWithWebIdentity_policy = Lens.lens (\AssumeRoleWithWebIdentity' {policy} -> policy) (\s@AssumeRoleWithWebIdentity' {} a -> s {policy = a} :: AssumeRoleWithWebIdentity)
+
+-- | The Amazon Resource Names (ARNs) of the IAM managed policies that you
+-- want to use as managed session policies. The policies must exist in the
+-- same account as the role.
+--
+-- This parameter is optional. You can provide up to 10 managed policy
+-- ARNs. However, the plaintext that you use for both inline and managed
+-- session policies can\'t exceed 2,048 characters. For more information
+-- about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the Amazon Web Services General Reference.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- Passing policies to this operation returns new temporary credentials.
+-- The resulting session\'s permissions are the intersection of the role\'s
+-- identity-based policy and the session policies. You can use the role\'s
+-- temporary credentials in subsequent Amazon Web Services API calls to
+-- access resources in the account that owns the role. You cannot use
+-- session policies to grant more permissions than those allowed by the
+-- identity-based policy of the role that is being assumed. For more
+-- information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+assumeRoleWithWebIdentity_policyArns :: Lens.Lens' AssumeRoleWithWebIdentity (Prelude.Maybe [PolicyDescriptorType])
+assumeRoleWithWebIdentity_policyArns = Lens.lens (\AssumeRoleWithWebIdentity' {policyArns} -> policyArns) (\s@AssumeRoleWithWebIdentity' {} a -> s {policyArns = a} :: AssumeRoleWithWebIdentity) Prelude.. Lens.mapping Lens.coerced
+
+-- | The fully qualified host component of the domain name of the OAuth 2.0
+-- identity provider. Do not specify this value for an OpenID Connect
+-- identity provider.
+--
+-- Currently @www.amazon.com@ and @graph.facebook.com@ are the only
+-- supported identity providers for OAuth 2.0 access tokens. Do not include
+-- URL schemes and port numbers.
+--
+-- Do not specify this value for OpenID Connect ID tokens.
+assumeRoleWithWebIdentity_providerId :: Lens.Lens' AssumeRoleWithWebIdentity (Prelude.Maybe Prelude.Text)
+assumeRoleWithWebIdentity_providerId = Lens.lens (\AssumeRoleWithWebIdentity' {providerId} -> providerId) (\s@AssumeRoleWithWebIdentity' {} a -> s {providerId = a} :: AssumeRoleWithWebIdentity)
+
+-- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
+assumeRoleWithWebIdentity_roleArn :: Lens.Lens' AssumeRoleWithWebIdentity Prelude.Text
+assumeRoleWithWebIdentity_roleArn = Lens.lens (\AssumeRoleWithWebIdentity' {roleArn} -> roleArn) (\s@AssumeRoleWithWebIdentity' {} a -> s {roleArn = a} :: AssumeRoleWithWebIdentity)
+
+-- | An identifier for the assumed role session. Typically, you pass the name
+-- or identifier that is associated with the user who is using your
+-- application. That way, the temporary security credentials that your
+-- application will use are associated with that user. This session name is
+-- included as part of the ARN and assumed role ID in the @AssumedRoleUser@
+-- response element.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+assumeRoleWithWebIdentity_roleSessionName :: Lens.Lens' AssumeRoleWithWebIdentity Prelude.Text
+assumeRoleWithWebIdentity_roleSessionName = Lens.lens (\AssumeRoleWithWebIdentity' {roleSessionName} -> roleSessionName) (\s@AssumeRoleWithWebIdentity' {} a -> s {roleSessionName = a} :: AssumeRoleWithWebIdentity)
+
+-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided
+-- by the identity provider. Your application must get this token by
+-- authenticating the user who is using your application with a web
+-- identity provider before the application makes an
+-- @AssumeRoleWithWebIdentity@ call.
+assumeRoleWithWebIdentity_webIdentityToken :: Lens.Lens' AssumeRoleWithWebIdentity Prelude.Text
+assumeRoleWithWebIdentity_webIdentityToken = Lens.lens (\AssumeRoleWithWebIdentity' {webIdentityToken} -> webIdentityToken) (\s@AssumeRoleWithWebIdentity' {} a -> s {webIdentityToken = a} :: AssumeRoleWithWebIdentity)
+
+instance Core.AWSRequest AssumeRoleWithWebIdentity where
+  type
+    AWSResponse AssumeRoleWithWebIdentity =
+      AssumeRoleWithWebIdentityResponse
+  request overrides =
+    Request.postQuery (overrides defaultService)
+  response =
+    Response.receiveXMLWrapper
+      "AssumeRoleWithWebIdentityResult"
+      ( \s h x ->
+          AssumeRoleWithWebIdentityResponse'
+            Prelude.<$> (x Data..@? "AssumedRoleUser")
+            Prelude.<*> (x Data..@? "Audience")
+            Prelude.<*> (x Data..@? "PackedPolicySize")
+            Prelude.<*> (x Data..@? "Provider")
+            Prelude.<*> (x Data..@? "SourceIdentity")
+            Prelude.<*> (x Data..@? "SubjectFromWebIdentityToken")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+            Prelude.<*> (x Data..@ "Credentials")
+      )
+
+instance Prelude.Hashable AssumeRoleWithWebIdentity where
+  hashWithSalt _salt AssumeRoleWithWebIdentity' {..} =
+    _salt
+      `Prelude.hashWithSalt` durationSeconds
+      `Prelude.hashWithSalt` policy
+      `Prelude.hashWithSalt` policyArns
+      `Prelude.hashWithSalt` providerId
+      `Prelude.hashWithSalt` roleArn
+      `Prelude.hashWithSalt` roleSessionName
+      `Prelude.hashWithSalt` webIdentityToken
+
+instance Prelude.NFData AssumeRoleWithWebIdentity where
+  rnf AssumeRoleWithWebIdentity' {..} =
+    Prelude.rnf durationSeconds
+      `Prelude.seq` Prelude.rnf policy
+      `Prelude.seq` Prelude.rnf policyArns
+      `Prelude.seq` Prelude.rnf providerId
+      `Prelude.seq` Prelude.rnf roleArn
+      `Prelude.seq` Prelude.rnf roleSessionName
+      `Prelude.seq` Prelude.rnf webIdentityToken
+
+instance Data.ToHeaders AssumeRoleWithWebIdentity where
+  toHeaders = Prelude.const Prelude.mempty
+
+instance Data.ToPath AssumeRoleWithWebIdentity where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery AssumeRoleWithWebIdentity where
+  toQuery AssumeRoleWithWebIdentity' {..} =
+    Prelude.mconcat
+      [ "Action"
+          Data.=: ("AssumeRoleWithWebIdentity" :: Prelude.ByteString),
+        "Version"
+          Data.=: ("2011-06-15" :: Prelude.ByteString),
+        "DurationSeconds" Data.=: durationSeconds,
+        "Policy" Data.=: policy,
+        "PolicyArns"
+          Data.=: Data.toQuery
+            (Data.toQueryList "member" Prelude.<$> policyArns),
+        "ProviderId" Data.=: providerId,
+        "RoleArn" Data.=: roleArn,
+        "RoleSessionName" Data.=: roleSessionName,
+        "WebIdentityToken" Data.=: webIdentityToken
+      ]
+
+-- | Contains the response to a successful AssumeRoleWithWebIdentity request,
+-- including temporary Amazon Web Services credentials that can be used to
+-- make Amazon Web Services requests.
+--
+-- /See:/ 'newAssumeRoleWithWebIdentityResponse' smart constructor.
+data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse'
+  { -- | The Amazon Resource Name (ARN) and the assumed role ID, which are
+    -- identifiers that you can use to refer to the resulting temporary
+    -- security credentials. For example, you can reference these credentials
+    -- as a principal in a resource-based policy by using the ARN or assumed
+    -- role ID. The ARN and ID include the @RoleSessionName@ that you specified
+    -- when you called @AssumeRole@.
+    assumedRoleUser :: Prelude.Maybe AssumedRoleUser,
+    -- | The intended audience (also known as client ID) of the web identity
+    -- token. This is traditionally the client identifier issued to the
+    -- application that requested the web identity token.
+    audience :: Prelude.Maybe Prelude.Text,
+    -- | A percentage value that indicates the packed size of the session
+    -- policies and session tags combined passed in the request. The request
+    -- fails if the packed size is greater than 100 percent, which means the
+    -- policies and tags exceeded the allowed space.
+    packedPolicySize :: Prelude.Maybe Prelude.Natural,
+    -- | The issuing authority of the web identity token presented. For OpenID
+    -- Connect ID tokens, this contains the value of the @iss@ field. For OAuth
+    -- 2.0 access tokens, this contains the value of the @ProviderId@ parameter
+    -- that was passed in the @AssumeRoleWithWebIdentity@ request.
+    provider :: Prelude.Maybe Prelude.Text,
+    -- | The value of the source identity that is returned in the JSON web token
+    -- (JWT) from the identity provider.
+    --
+    -- You can require users to set a source identity value when they assume a
+    -- role. You do this by using the @sts:SourceIdentity@ condition key in a
+    -- role trust policy. That way, actions that are taken with the role are
+    -- associated with that user. After the source identity is set, the value
+    -- cannot be changed. It is present in the request for all actions that are
+    -- taken by the role and persists across
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role>
+    -- sessions. You can configure your identity provider to use an attribute
+    -- associated with your users, like user name or email, as the source
+    -- identity when calling @AssumeRoleWithWebIdentity@. You do this by adding
+    -- a claim to the JSON web token. To learn more about OIDC tokens and
+    -- claims, see
+    -- <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html Using Tokens with User Pools>
+    -- in the /Amazon Cognito Developer Guide/. For more information about
+    -- using source identity, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+    -- in the /IAM User Guide/.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@-
+    sourceIdentity :: Prelude.Maybe Prelude.Text,
+    -- | The unique user identifier that is returned by the identity provider.
+    -- This identifier is associated with the @WebIdentityToken@ that was
+    -- submitted with the @AssumeRoleWithWebIdentity@ call. The identifier is
+    -- typically unique to the user and the application that acquired the
+    -- @WebIdentityToken@ (pairwise identifier). For OpenID Connect ID tokens,
+    -- this field contains the value returned by the identity provider as the
+    -- token\'s @sub@ (Subject) claim.
+    subjectFromWebIdentityToken :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int,
+    -- | The temporary security credentials, which include an access key ID, a
+    -- secret access key, and a security token.
+    --
+    -- The size of the security token that STS API operations return is not
+    -- fixed. We strongly recommend that you make no assumptions about the
+    -- maximum size.
+    credentials :: Core.AuthEnv
+  }
+  deriving (Prelude.Eq, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssumeRoleWithWebIdentityResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'assumedRoleUser', 'assumeRoleWithWebIdentityResponse_assumedRoleUser' - The Amazon Resource Name (ARN) and the assumed role ID, which are
+-- identifiers that you can use to refer to the resulting temporary
+-- security credentials. For example, you can reference these credentials
+-- as a principal in a resource-based policy by using the ARN or assumed
+-- role ID. The ARN and ID include the @RoleSessionName@ that you specified
+-- when you called @AssumeRole@.
+--
+-- 'audience', 'assumeRoleWithWebIdentityResponse_audience' - The intended audience (also known as client ID) of the web identity
+-- token. This is traditionally the client identifier issued to the
+-- application that requested the web identity token.
+--
+-- 'packedPolicySize', 'assumeRoleWithWebIdentityResponse_packedPolicySize' - A percentage value that indicates the packed size of the session
+-- policies and session tags combined passed in the request. The request
+-- fails if the packed size is greater than 100 percent, which means the
+-- policies and tags exceeded the allowed space.
+--
+-- 'provider', 'assumeRoleWithWebIdentityResponse_provider' - The issuing authority of the web identity token presented. For OpenID
+-- Connect ID tokens, this contains the value of the @iss@ field. For OAuth
+-- 2.0 access tokens, this contains the value of the @ProviderId@ parameter
+-- that was passed in the @AssumeRoleWithWebIdentity@ request.
+--
+-- 'sourceIdentity', 'assumeRoleWithWebIdentityResponse_sourceIdentity' - The value of the source identity that is returned in the JSON web token
+-- (JWT) from the identity provider.
+--
+-- You can require users to set a source identity value when they assume a
+-- role. You do this by using the @sts:SourceIdentity@ condition key in a
+-- role trust policy. That way, actions that are taken with the role are
+-- associated with that user. After the source identity is set, the value
+-- cannot be changed. It is present in the request for all actions that are
+-- taken by the role and persists across
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role>
+-- sessions. You can configure your identity provider to use an attribute
+-- associated with your users, like user name or email, as the source
+-- identity when calling @AssumeRoleWithWebIdentity@. You do this by adding
+-- a claim to the JSON web token. To learn more about OIDC tokens and
+-- claims, see
+-- <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html Using Tokens with User Pools>
+-- in the /Amazon Cognito Developer Guide/. For more information about
+-- using source identity, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+--
+-- 'subjectFromWebIdentityToken', 'assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken' - The unique user identifier that is returned by the identity provider.
+-- This identifier is associated with the @WebIdentityToken@ that was
+-- submitted with the @AssumeRoleWithWebIdentity@ call. The identifier is
+-- typically unique to the user and the application that acquired the
+-- @WebIdentityToken@ (pairwise identifier). For OpenID Connect ID tokens,
+-- this field contains the value returned by the identity provider as the
+-- token\'s @sub@ (Subject) claim.
+--
+-- 'httpStatus', 'assumeRoleWithWebIdentityResponse_httpStatus' - The response's http status code.
+--
+-- 'credentials', 'assumeRoleWithWebIdentityResponse_credentials' - The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+newAssumeRoleWithWebIdentityResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  -- | 'credentials'
+  Core.AuthEnv ->
+  AssumeRoleWithWebIdentityResponse
+newAssumeRoleWithWebIdentityResponse
+  pHttpStatus_
+  pCredentials_ =
+    AssumeRoleWithWebIdentityResponse'
+      { assumedRoleUser =
+          Prelude.Nothing,
+        audience = Prelude.Nothing,
+        packedPolicySize = Prelude.Nothing,
+        provider = Prelude.Nothing,
+        sourceIdentity = Prelude.Nothing,
+        subjectFromWebIdentityToken =
+          Prelude.Nothing,
+        httpStatus = pHttpStatus_,
+        credentials = pCredentials_
+      }
+
+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are
+-- identifiers that you can use to refer to the resulting temporary
+-- security credentials. For example, you can reference these credentials
+-- as a principal in a resource-based policy by using the ARN or assumed
+-- role ID. The ARN and ID include the @RoleSessionName@ that you specified
+-- when you called @AssumeRole@.
+assumeRoleWithWebIdentityResponse_assumedRoleUser :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe AssumedRoleUser)
+assumeRoleWithWebIdentityResponse_assumedRoleUser = Lens.lens (\AssumeRoleWithWebIdentityResponse' {assumedRoleUser} -> assumedRoleUser) (\s@AssumeRoleWithWebIdentityResponse' {} a -> s {assumedRoleUser = a} :: AssumeRoleWithWebIdentityResponse)
+
+-- | The intended audience (also known as client ID) of the web identity
+-- token. This is traditionally the client identifier issued to the
+-- application that requested the web identity token.
+assumeRoleWithWebIdentityResponse_audience :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithWebIdentityResponse_audience = Lens.lens (\AssumeRoleWithWebIdentityResponse' {audience} -> audience) (\s@AssumeRoleWithWebIdentityResponse' {} a -> s {audience = a} :: AssumeRoleWithWebIdentityResponse)
+
+-- | A percentage value that indicates the packed size of the session
+-- policies and session tags combined passed in the request. The request
+-- fails if the packed size is greater than 100 percent, which means the
+-- policies and tags exceeded the allowed space.
+assumeRoleWithWebIdentityResponse_packedPolicySize :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Natural)
+assumeRoleWithWebIdentityResponse_packedPolicySize = Lens.lens (\AssumeRoleWithWebIdentityResponse' {packedPolicySize} -> packedPolicySize) (\s@AssumeRoleWithWebIdentityResponse' {} a -> s {packedPolicySize = a} :: AssumeRoleWithWebIdentityResponse)
+
+-- | The issuing authority of the web identity token presented. For OpenID
+-- Connect ID tokens, this contains the value of the @iss@ field. For OAuth
+-- 2.0 access tokens, this contains the value of the @ProviderId@ parameter
+-- that was passed in the @AssumeRoleWithWebIdentity@ request.
+assumeRoleWithWebIdentityResponse_provider :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithWebIdentityResponse_provider = Lens.lens (\AssumeRoleWithWebIdentityResponse' {provider} -> provider) (\s@AssumeRoleWithWebIdentityResponse' {} a -> s {provider = a} :: AssumeRoleWithWebIdentityResponse)
+
+-- | The value of the source identity that is returned in the JSON web token
+-- (JWT) from the identity provider.
+--
+-- You can require users to set a source identity value when they assume a
+-- role. You do this by using the @sts:SourceIdentity@ condition key in a
+-- role trust policy. That way, actions that are taken with the role are
+-- associated with that user. After the source identity is set, the value
+-- cannot be changed. It is present in the request for all actions that are
+-- taken by the role and persists across
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role>
+-- sessions. You can configure your identity provider to use an attribute
+-- associated with your users, like user name or email, as the source
+-- identity when calling @AssumeRoleWithWebIdentity@. You do this by adding
+-- a claim to the JSON web token. To learn more about OIDC tokens and
+-- claims, see
+-- <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html Using Tokens with User Pools>
+-- in the /Amazon Cognito Developer Guide/. For more information about
+-- using source identity, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles>
+-- in the /IAM User Guide/.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+assumeRoleWithWebIdentityResponse_sourceIdentity :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithWebIdentityResponse_sourceIdentity = Lens.lens (\AssumeRoleWithWebIdentityResponse' {sourceIdentity} -> sourceIdentity) (\s@AssumeRoleWithWebIdentityResponse' {} a -> s {sourceIdentity = a} :: AssumeRoleWithWebIdentityResponse)
+
+-- | The unique user identifier that is returned by the identity provider.
+-- This identifier is associated with the @WebIdentityToken@ that was
+-- submitted with the @AssumeRoleWithWebIdentity@ call. The identifier is
+-- typically unique to the user and the application that acquired the
+-- @WebIdentityToken@ (pairwise identifier). For OpenID Connect ID tokens,
+-- this field contains the value returned by the identity provider as the
+-- token\'s @sub@ (Subject) claim.
+assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Text)
+assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken = Lens.lens (\AssumeRoleWithWebIdentityResponse' {subjectFromWebIdentityToken} -> subjectFromWebIdentityToken) (\s@AssumeRoleWithWebIdentityResponse' {} a -> s {subjectFromWebIdentityToken = a} :: AssumeRoleWithWebIdentityResponse)
+
+-- | The response's http status code.
+assumeRoleWithWebIdentityResponse_httpStatus :: Lens.Lens' AssumeRoleWithWebIdentityResponse Prelude.Int
+assumeRoleWithWebIdentityResponse_httpStatus = Lens.lens (\AssumeRoleWithWebIdentityResponse' {httpStatus} -> httpStatus) (\s@AssumeRoleWithWebIdentityResponse' {} a -> s {httpStatus = a} :: AssumeRoleWithWebIdentityResponse)
+
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+assumeRoleWithWebIdentityResponse_credentials :: Lens.Lens' AssumeRoleWithWebIdentityResponse Core.AuthEnv
+assumeRoleWithWebIdentityResponse_credentials = Lens.lens (\AssumeRoleWithWebIdentityResponse' {credentials} -> credentials) (\s@AssumeRoleWithWebIdentityResponse' {} a -> s {credentials = a} :: AssumeRoleWithWebIdentityResponse)
+
+instance
+  Prelude.NFData
+    AssumeRoleWithWebIdentityResponse
+  where
+  rnf AssumeRoleWithWebIdentityResponse' {..} =
+    Prelude.rnf assumedRoleUser
+      `Prelude.seq` Prelude.rnf audience
+      `Prelude.seq` Prelude.rnf packedPolicySize
+      `Prelude.seq` Prelude.rnf provider
+      `Prelude.seq` Prelude.rnf sourceIdentity
+      `Prelude.seq` Prelude.rnf subjectFromWebIdentityToken
+      `Prelude.seq` Prelude.rnf httpStatus
+      `Prelude.seq` Prelude.rnf credentials
diff --git a/gen/Amazonka/STS/DecodeAuthorizationMessage.hs b/gen/Amazonka/STS/DecodeAuthorizationMessage.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/DecodeAuthorizationMessage.hs
@@ -0,0 +1,204 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.DecodeAuthorizationMessage
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Decodes additional information about the authorization status of a
+-- request from an encoded message returned in response to an Amazon Web
+-- Services request.
+--
+-- For example, if a user is not authorized to perform an operation that he
+-- or she has requested, the request returns a
+-- @Client.UnauthorizedOperation@ response (an HTTP 403 response). Some
+-- Amazon Web Services operations additionally return an encoded message
+-- that can provide details about this authorization failure.
+--
+-- Only certain Amazon Web Services operations return an encoded
+-- authorization message. The documentation for an individual operation
+-- indicates whether that operation returns an encoded message in addition
+-- to returning an HTTP code.
+--
+-- The message is encoded because the details of the authorization status
+-- can contain privileged information that the user who requested the
+-- operation should not see. To decode an authorization status message, a
+-- user must be granted permissions through an IAM
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html policy>
+-- to request the @DecodeAuthorizationMessage@
+-- (@sts:DecodeAuthorizationMessage@) action.
+--
+-- The decoded message includes the following type of information:
+--
+-- -   Whether the request was denied due to an explicit deny or due to the
+--     absence of an explicit allow. For more information, see
+--     <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow Determining Whether a Request is Allowed or Denied>
+--     in the /IAM User Guide/.
+--
+-- -   The principal who made the request.
+--
+-- -   The requested action.
+--
+-- -   The requested resource.
+--
+-- -   The values of condition keys in the context of the user\'s request.
+module Amazonka.STS.DecodeAuthorizationMessage
+  ( -- * Creating a Request
+    DecodeAuthorizationMessage (..),
+    newDecodeAuthorizationMessage,
+
+    -- * Request Lenses
+    decodeAuthorizationMessage_encodedMessage,
+
+    -- * Destructuring the Response
+    DecodeAuthorizationMessageResponse (..),
+    newDecodeAuthorizationMessageResponse,
+
+    -- * Response Lenses
+    decodeAuthorizationMessageResponse_decodedMessage,
+    decodeAuthorizationMessageResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+import Amazonka.STS.Types
+
+-- | /See:/ 'newDecodeAuthorizationMessage' smart constructor.
+data DecodeAuthorizationMessage = DecodeAuthorizationMessage'
+  { -- | The encoded message that was returned with the response.
+    encodedMessage :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DecodeAuthorizationMessage' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'encodedMessage', 'decodeAuthorizationMessage_encodedMessage' - The encoded message that was returned with the response.
+newDecodeAuthorizationMessage ::
+  -- | 'encodedMessage'
+  Prelude.Text ->
+  DecodeAuthorizationMessage
+newDecodeAuthorizationMessage pEncodedMessage_ =
+  DecodeAuthorizationMessage'
+    { encodedMessage =
+        pEncodedMessage_
+    }
+
+-- | The encoded message that was returned with the response.
+decodeAuthorizationMessage_encodedMessage :: Lens.Lens' DecodeAuthorizationMessage Prelude.Text
+decodeAuthorizationMessage_encodedMessage = Lens.lens (\DecodeAuthorizationMessage' {encodedMessage} -> encodedMessage) (\s@DecodeAuthorizationMessage' {} a -> s {encodedMessage = a} :: DecodeAuthorizationMessage)
+
+instance Core.AWSRequest DecodeAuthorizationMessage where
+  type
+    AWSResponse DecodeAuthorizationMessage =
+      DecodeAuthorizationMessageResponse
+  request overrides =
+    Request.postQuery (overrides defaultService)
+  response =
+    Response.receiveXMLWrapper
+      "DecodeAuthorizationMessageResult"
+      ( \s h x ->
+          DecodeAuthorizationMessageResponse'
+            Prelude.<$> (x Data..@? "DecodedMessage")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable DecodeAuthorizationMessage where
+  hashWithSalt _salt DecodeAuthorizationMessage' {..} =
+    _salt `Prelude.hashWithSalt` encodedMessage
+
+instance Prelude.NFData DecodeAuthorizationMessage where
+  rnf DecodeAuthorizationMessage' {..} =
+    Prelude.rnf encodedMessage
+
+instance Data.ToHeaders DecodeAuthorizationMessage where
+  toHeaders = Prelude.const Prelude.mempty
+
+instance Data.ToPath DecodeAuthorizationMessage where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DecodeAuthorizationMessage where
+  toQuery DecodeAuthorizationMessage' {..} =
+    Prelude.mconcat
+      [ "Action"
+          Data.=: ("DecodeAuthorizationMessage" :: Prelude.ByteString),
+        "Version"
+          Data.=: ("2011-06-15" :: Prelude.ByteString),
+        "EncodedMessage" Data.=: encodedMessage
+      ]
+
+-- | A document that contains additional information about the authorization
+-- status of a request from an encoded message that is returned in response
+-- to an Amazon Web Services request.
+--
+-- /See:/ 'newDecodeAuthorizationMessageResponse' smart constructor.
+data DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse'
+  { -- | The API returns a response with the decoded message.
+    decodedMessage :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DecodeAuthorizationMessageResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'decodedMessage', 'decodeAuthorizationMessageResponse_decodedMessage' - The API returns a response with the decoded message.
+--
+-- 'httpStatus', 'decodeAuthorizationMessageResponse_httpStatus' - The response's http status code.
+newDecodeAuthorizationMessageResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  DecodeAuthorizationMessageResponse
+newDecodeAuthorizationMessageResponse pHttpStatus_ =
+  DecodeAuthorizationMessageResponse'
+    { decodedMessage =
+        Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The API returns a response with the decoded message.
+decodeAuthorizationMessageResponse_decodedMessage :: Lens.Lens' DecodeAuthorizationMessageResponse (Prelude.Maybe Prelude.Text)
+decodeAuthorizationMessageResponse_decodedMessage = Lens.lens (\DecodeAuthorizationMessageResponse' {decodedMessage} -> decodedMessage) (\s@DecodeAuthorizationMessageResponse' {} a -> s {decodedMessage = a} :: DecodeAuthorizationMessageResponse)
+
+-- | The response's http status code.
+decodeAuthorizationMessageResponse_httpStatus :: Lens.Lens' DecodeAuthorizationMessageResponse Prelude.Int
+decodeAuthorizationMessageResponse_httpStatus = Lens.lens (\DecodeAuthorizationMessageResponse' {httpStatus} -> httpStatus) (\s@DecodeAuthorizationMessageResponse' {} a -> s {httpStatus = a} :: DecodeAuthorizationMessageResponse)
+
+instance
+  Prelude.NFData
+    DecodeAuthorizationMessageResponse
+  where
+  rnf DecodeAuthorizationMessageResponse' {..} =
+    Prelude.rnf decodedMessage
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/STS/GetAccessKeyInfo.hs b/gen/Amazonka/STS/GetAccessKeyInfo.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/GetAccessKeyInfo.hs
@@ -0,0 +1,192 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.GetAccessKeyInfo
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns the account identifier for the specified access key ID.
+--
+-- Access keys consist of two parts: an access key ID (for example,
+-- @AKIAIOSFODNN7EXAMPLE@) and a secret access key (for example,
+-- @wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY@). For more information
+-- about access keys, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html Managing Access Keys for IAM Users>
+-- in the /IAM User Guide/.
+--
+-- When you pass an access key ID to this operation, it returns the ID of
+-- the Amazon Web Services account to which the keys belong. Access key IDs
+-- beginning with @AKIA@ are long-term credentials for an IAM user or the
+-- Amazon Web Services account root user. Access key IDs beginning with
+-- @ASIA@ are temporary credentials that are created using STS operations.
+-- If the account in the response belongs to you, you can sign in as the
+-- root user and review your root user access keys. Then, you can pull a
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html credentials report>
+-- to learn which IAM user owns the keys. To learn who requested the
+-- temporary credentials for an @ASIA@ access key, view the STS events in
+-- your
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html CloudTrail logs>
+-- in the /IAM User Guide/.
+--
+-- This operation does not indicate the state of the access key. The key
+-- might be active, inactive, or deleted. Active keys might not have
+-- permissions to perform an operation. Providing a deleted access key
+-- might return an error that the key doesn\'t exist.
+module Amazonka.STS.GetAccessKeyInfo
+  ( -- * Creating a Request
+    GetAccessKeyInfo (..),
+    newGetAccessKeyInfo,
+
+    -- * Request Lenses
+    getAccessKeyInfo_accessKeyId,
+
+    -- * Destructuring the Response
+    GetAccessKeyInfoResponse (..),
+    newGetAccessKeyInfoResponse,
+
+    -- * Response Lenses
+    getAccessKeyInfoResponse_account,
+    getAccessKeyInfoResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+import Amazonka.STS.Types
+
+-- | /See:/ 'newGetAccessKeyInfo' smart constructor.
+data GetAccessKeyInfo = GetAccessKeyInfo'
+  { -- | The identifier of an access key.
+    --
+    -- This parameter allows (through its regex pattern) a string of characters
+    -- that can consist of any upper- or lowercase letter or digit.
+    accessKeyId :: Core.AccessKey
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'GetAccessKeyInfo' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'accessKeyId', 'getAccessKeyInfo_accessKeyId' - The identifier of an access key.
+--
+-- This parameter allows (through its regex pattern) a string of characters
+-- that can consist of any upper- or lowercase letter or digit.
+newGetAccessKeyInfo ::
+  -- | 'accessKeyId'
+  Core.AccessKey ->
+  GetAccessKeyInfo
+newGetAccessKeyInfo pAccessKeyId_ =
+  GetAccessKeyInfo' {accessKeyId = pAccessKeyId_}
+
+-- | The identifier of an access key.
+--
+-- This parameter allows (through its regex pattern) a string of characters
+-- that can consist of any upper- or lowercase letter or digit.
+getAccessKeyInfo_accessKeyId :: Lens.Lens' GetAccessKeyInfo Core.AccessKey
+getAccessKeyInfo_accessKeyId = Lens.lens (\GetAccessKeyInfo' {accessKeyId} -> accessKeyId) (\s@GetAccessKeyInfo' {} a -> s {accessKeyId = a} :: GetAccessKeyInfo)
+
+instance Core.AWSRequest GetAccessKeyInfo where
+  type
+    AWSResponse GetAccessKeyInfo =
+      GetAccessKeyInfoResponse
+  request overrides =
+    Request.postQuery (overrides defaultService)
+  response =
+    Response.receiveXMLWrapper
+      "GetAccessKeyInfoResult"
+      ( \s h x ->
+          GetAccessKeyInfoResponse'
+            Prelude.<$> (x Data..@? "Account")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable GetAccessKeyInfo where
+  hashWithSalt _salt GetAccessKeyInfo' {..} =
+    _salt `Prelude.hashWithSalt` accessKeyId
+
+instance Prelude.NFData GetAccessKeyInfo where
+  rnf GetAccessKeyInfo' {..} = Prelude.rnf accessKeyId
+
+instance Data.ToHeaders GetAccessKeyInfo where
+  toHeaders = Prelude.const Prelude.mempty
+
+instance Data.ToPath GetAccessKeyInfo where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery GetAccessKeyInfo where
+  toQuery GetAccessKeyInfo' {..} =
+    Prelude.mconcat
+      [ "Action"
+          Data.=: ("GetAccessKeyInfo" :: Prelude.ByteString),
+        "Version"
+          Data.=: ("2011-06-15" :: Prelude.ByteString),
+        "AccessKeyId" Data.=: accessKeyId
+      ]
+
+-- | /See:/ 'newGetAccessKeyInfoResponse' smart constructor.
+data GetAccessKeyInfoResponse = GetAccessKeyInfoResponse'
+  { -- | The number used to identify the Amazon Web Services account.
+    account :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'GetAccessKeyInfoResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'account', 'getAccessKeyInfoResponse_account' - The number used to identify the Amazon Web Services account.
+--
+-- 'httpStatus', 'getAccessKeyInfoResponse_httpStatus' - The response's http status code.
+newGetAccessKeyInfoResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  GetAccessKeyInfoResponse
+newGetAccessKeyInfoResponse pHttpStatus_ =
+  GetAccessKeyInfoResponse'
+    { account =
+        Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The number used to identify the Amazon Web Services account.
+getAccessKeyInfoResponse_account :: Lens.Lens' GetAccessKeyInfoResponse (Prelude.Maybe Prelude.Text)
+getAccessKeyInfoResponse_account = Lens.lens (\GetAccessKeyInfoResponse' {account} -> account) (\s@GetAccessKeyInfoResponse' {} a -> s {account = a} :: GetAccessKeyInfoResponse)
+
+-- | The response's http status code.
+getAccessKeyInfoResponse_httpStatus :: Lens.Lens' GetAccessKeyInfoResponse Prelude.Int
+getAccessKeyInfoResponse_httpStatus = Lens.lens (\GetAccessKeyInfoResponse' {httpStatus} -> httpStatus) (\s@GetAccessKeyInfoResponse' {} a -> s {httpStatus = a} :: GetAccessKeyInfoResponse)
+
+instance Prelude.NFData GetAccessKeyInfoResponse where
+  rnf GetAccessKeyInfoResponse' {..} =
+    Prelude.rnf account
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/STS/GetCallerIdentity.hs b/gen/Amazonka/STS/GetCallerIdentity.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/GetCallerIdentity.hs
@@ -0,0 +1,197 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.GetCallerIdentity
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns details about the IAM user or role whose credentials are used to
+-- call the operation.
+--
+-- No permissions are required to perform this operation. If an
+-- administrator adds a policy to your IAM user or role that explicitly
+-- denies access to the @sts:GetCallerIdentity@ action, you can still
+-- perform this operation. Permissions are not required because the same
+-- information is returned when an IAM user or role is denied access. To
+-- view an example response, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice>
+-- in the /IAM User Guide/.
+module Amazonka.STS.GetCallerIdentity
+  ( -- * Creating a Request
+    GetCallerIdentity (..),
+    newGetCallerIdentity,
+
+    -- * Destructuring the Response
+    GetCallerIdentityResponse (..),
+    newGetCallerIdentityResponse,
+
+    -- * Response Lenses
+    getCallerIdentityResponse_account,
+    getCallerIdentityResponse_arn,
+    getCallerIdentityResponse_userId,
+    getCallerIdentityResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+import Amazonka.STS.Types
+
+-- | /See:/ 'newGetCallerIdentity' smart constructor.
+data GetCallerIdentity = GetCallerIdentity'
+  {
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'GetCallerIdentity' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+newGetCallerIdentity ::
+  GetCallerIdentity
+newGetCallerIdentity = GetCallerIdentity'
+
+instance Core.AWSRequest GetCallerIdentity where
+  type
+    AWSResponse GetCallerIdentity =
+      GetCallerIdentityResponse
+  request overrides =
+    Request.postQuery (overrides defaultService)
+  response =
+    Response.receiveXMLWrapper
+      "GetCallerIdentityResult"
+      ( \s h x ->
+          GetCallerIdentityResponse'
+            Prelude.<$> (x Data..@? "Account")
+            Prelude.<*> (x Data..@? "Arn")
+            Prelude.<*> (x Data..@? "UserId")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable GetCallerIdentity where
+  hashWithSalt _salt _ =
+    _salt `Prelude.hashWithSalt` ()
+
+instance Prelude.NFData GetCallerIdentity where
+  rnf _ = ()
+
+instance Data.ToHeaders GetCallerIdentity where
+  toHeaders = Prelude.const Prelude.mempty
+
+instance Data.ToPath GetCallerIdentity where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery GetCallerIdentity where
+  toQuery =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "Action"
+              Data.=: ("GetCallerIdentity" :: Prelude.ByteString),
+            "Version"
+              Data.=: ("2011-06-15" :: Prelude.ByteString)
+          ]
+      )
+
+-- | Contains the response to a successful GetCallerIdentity request,
+-- including information about the entity making the request.
+--
+-- /See:/ 'newGetCallerIdentityResponse' smart constructor.
+data GetCallerIdentityResponse = GetCallerIdentityResponse'
+  { -- | The Amazon Web Services account ID number of the account that owns or
+    -- contains the calling entity.
+    account :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Web Services ARN associated with the calling entity.
+    arn :: Prelude.Maybe Prelude.Text,
+    -- | The unique identifier of the calling entity. The exact value depends on
+    -- the type of entity that is making the call. The values returned are
+    -- those listed in the __aws:userid__ column in the
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable Principal table>
+    -- found on the __Policy Variables__ reference page in the /IAM User
+    -- Guide/.
+    userId :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'GetCallerIdentityResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'account', 'getCallerIdentityResponse_account' - The Amazon Web Services account ID number of the account that owns or
+-- contains the calling entity.
+--
+-- 'arn', 'getCallerIdentityResponse_arn' - The Amazon Web Services ARN associated with the calling entity.
+--
+-- 'userId', 'getCallerIdentityResponse_userId' - The unique identifier of the calling entity. The exact value depends on
+-- the type of entity that is making the call. The values returned are
+-- those listed in the __aws:userid__ column in the
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable Principal table>
+-- found on the __Policy Variables__ reference page in the /IAM User
+-- Guide/.
+--
+-- 'httpStatus', 'getCallerIdentityResponse_httpStatus' - The response's http status code.
+newGetCallerIdentityResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  GetCallerIdentityResponse
+newGetCallerIdentityResponse pHttpStatus_ =
+  GetCallerIdentityResponse'
+    { account =
+        Prelude.Nothing,
+      arn = Prelude.Nothing,
+      userId = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The Amazon Web Services account ID number of the account that owns or
+-- contains the calling entity.
+getCallerIdentityResponse_account :: Lens.Lens' GetCallerIdentityResponse (Prelude.Maybe Prelude.Text)
+getCallerIdentityResponse_account = Lens.lens (\GetCallerIdentityResponse' {account} -> account) (\s@GetCallerIdentityResponse' {} a -> s {account = a} :: GetCallerIdentityResponse)
+
+-- | The Amazon Web Services ARN associated with the calling entity.
+getCallerIdentityResponse_arn :: Lens.Lens' GetCallerIdentityResponse (Prelude.Maybe Prelude.Text)
+getCallerIdentityResponse_arn = Lens.lens (\GetCallerIdentityResponse' {arn} -> arn) (\s@GetCallerIdentityResponse' {} a -> s {arn = a} :: GetCallerIdentityResponse)
+
+-- | The unique identifier of the calling entity. The exact value depends on
+-- the type of entity that is making the call. The values returned are
+-- those listed in the __aws:userid__ column in the
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable Principal table>
+-- found on the __Policy Variables__ reference page in the /IAM User
+-- Guide/.
+getCallerIdentityResponse_userId :: Lens.Lens' GetCallerIdentityResponse (Prelude.Maybe Prelude.Text)
+getCallerIdentityResponse_userId = Lens.lens (\GetCallerIdentityResponse' {userId} -> userId) (\s@GetCallerIdentityResponse' {} a -> s {userId = a} :: GetCallerIdentityResponse)
+
+-- | The response's http status code.
+getCallerIdentityResponse_httpStatus :: Lens.Lens' GetCallerIdentityResponse Prelude.Int
+getCallerIdentityResponse_httpStatus = Lens.lens (\GetCallerIdentityResponse' {httpStatus} -> httpStatus) (\s@GetCallerIdentityResponse' {} a -> s {httpStatus = a} :: GetCallerIdentityResponse)
+
+instance Prelude.NFData GetCallerIdentityResponse where
+  rnf GetCallerIdentityResponse' {..} =
+    Prelude.rnf account
+      `Prelude.seq` Prelude.rnf arn
+      `Prelude.seq` Prelude.rnf userId
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/STS/GetFederationToken.hs b/gen/Amazonka/STS/GetFederationToken.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/GetFederationToken.hs
@@ -0,0 +1,742 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.GetFederationToken
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns a set of temporary security credentials (consisting of an access
+-- key ID, a secret access key, and a security token) for a federated user.
+-- A typical use is in a proxy application that gets temporary security
+-- credentials on behalf of distributed applications inside a corporate
+-- network. You must call the @GetFederationToken@ operation using the
+-- long-term security credentials of an IAM user. As a result, this call is
+-- appropriate in contexts where those credentials can be safely stored,
+-- usually in a server-based application. For a comparison of
+-- @GetFederationToken@ with the other API operations that produce
+-- temporary credentials, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the Amazon Web Services STS API operations>
+-- in the /IAM User Guide/.
+--
+-- You can create a mobile-based or browser-based app that can authenticate
+-- users using a web identity provider like Login with Amazon, Facebook,
+-- Google, or an OpenID Connect-compatible identity provider. In this case,
+-- we recommend that you use
+-- <http://aws.amazon.com/cognito/ Amazon Cognito> or
+-- @AssumeRoleWithWebIdentity@. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider>
+-- in the /IAM User Guide/.
+--
+-- You can also call @GetFederationToken@ using the security credentials of
+-- an Amazon Web Services account root user, but we do not recommend it.
+-- Instead, we recommend that you create an IAM user for the purpose of the
+-- proxy application. Then attach a policy to the IAM user that limits
+-- federated users to only the actions and resources that they need to
+-- access. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html IAM Best Practices>
+-- in the /IAM User Guide/.
+--
+-- __Session duration__
+--
+-- The temporary credentials are valid for the specified duration, from 900
+-- seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The
+-- default session duration is 43,200 seconds (12 hours). Temporary
+-- credentials obtained by using the Amazon Web Services account root user
+-- credentials have a maximum duration of 3,600 seconds (1 hour).
+--
+-- __Permissions__
+--
+-- You can use the temporary credentials created by @GetFederationToken@ in
+-- any Amazon Web Services service except the following:
+--
+-- -   You cannot call any IAM operations using the CLI or the Amazon Web
+--     Services API.
+--
+-- -   You cannot call any STS operations except @GetCallerIdentity@.
+--
+-- You must pass an inline or managed
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy>
+-- to this operation. You can pass a single JSON policy document to use as
+-- an inline session policy. You can also specify up to 10 managed policy
+-- Amazon Resource Names (ARNs) to use as managed session policies. The
+-- plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters.
+--
+-- Though the session policy parameters are optional, if you do not pass a
+-- policy, then the resulting federated user session has no permissions.
+-- When you pass session policies, the session permissions are the
+-- intersection of the IAM user policies and the session policies that you
+-- pass. This gives you a way to further restrict the permissions for a
+-- federated user. You cannot use session policies to grant more
+-- permissions than those that are defined in the permissions policy of the
+-- IAM user. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/. For information about using
+-- @GetFederationToken@ to create temporary security credentials, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken GetFederationToken—Federation Through a Custom Identity Broker>.
+--
+-- You can use the credentials to access a resource that has a
+-- resource-based policy. If that policy specifically references the
+-- federated user session in the @Principal@ element of the policy, the
+-- session has the permissions allowed by the policy. These permissions are
+-- granted in addition to the permissions granted by the session policies.
+--
+-- __Tags__
+--
+-- (Optional) You can pass tag key-value pairs to your session. These are
+-- called session tags. For more information about session tags, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS>
+-- in the /IAM User Guide/.
+--
+-- You can create a mobile-based or browser-based app that can authenticate
+-- users using a web identity provider like Login with Amazon, Facebook,
+-- Google, or an OpenID Connect-compatible identity provider. In this case,
+-- we recommend that you use
+-- <http://aws.amazon.com/cognito/ Amazon Cognito> or
+-- @AssumeRoleWithWebIdentity@. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider>
+-- in the /IAM User Guide/.
+--
+-- An administrator must grant you the permissions necessary to pass
+-- session tags. The administrator can also create granular permissions to
+-- allow you to pass only specific session tags. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html Tutorial: Using Tags for Attribute-Based Access Control>
+-- in the /IAM User Guide/.
+--
+-- Tag key–value pairs are not case sensitive, but case is preserved. This
+-- means that you cannot have separate @Department@ and @department@ tag
+-- keys. Assume that the user that you are federating has the
+-- @Department@=@Marketing@ tag and you pass the @department@=@engineering@
+-- session tag. @Department@ and @department@ are not saved as separate
+-- tags, and the session tag passed in the request takes precedence over
+-- the user tag.
+module Amazonka.STS.GetFederationToken
+  ( -- * Creating a Request
+    GetFederationToken (..),
+    newGetFederationToken,
+
+    -- * Request Lenses
+    getFederationToken_durationSeconds,
+    getFederationToken_policy,
+    getFederationToken_policyArns,
+    getFederationToken_tags,
+    getFederationToken_name,
+
+    -- * Destructuring the Response
+    GetFederationTokenResponse (..),
+    newGetFederationTokenResponse,
+
+    -- * Response Lenses
+    getFederationTokenResponse_credentials,
+    getFederationTokenResponse_federatedUser,
+    getFederationTokenResponse_packedPolicySize,
+    getFederationTokenResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+import Amazonka.STS.Types
+
+-- | /See:/ 'newGetFederationToken' smart constructor.
+data GetFederationToken = GetFederationToken'
+  { -- | The duration, in seconds, that the session should last. Acceptable
+    -- durations for federation sessions range from 900 seconds (15 minutes) to
+    -- 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
+    -- default. Sessions obtained using Amazon Web Services account root user
+    -- credentials are restricted to a maximum of 3,600 seconds (one hour). If
+    -- the specified duration is longer than one hour, the session obtained by
+    -- using root user credentials defaults to one hour.
+    durationSeconds :: Prelude.Maybe Prelude.Natural,
+    -- | An IAM policy in JSON format that you want to use as an inline session
+    -- policy.
+    --
+    -- You must pass an inline or managed
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy>
+    -- to this operation. You can pass a single JSON policy document to use as
+    -- an inline session policy. You can also specify up to 10 managed policy
+    -- Amazon Resource Names (ARNs) to use as managed session policies.
+    --
+    -- This parameter is optional. However, if you do not pass any session
+    -- policies, then the resulting federated user session has no permissions.
+    --
+    -- When you pass session policies, the session permissions are the
+    -- intersection of the IAM user policies and the session policies that you
+    -- pass. This gives you a way to further restrict the permissions for a
+    -- federated user. You cannot use session policies to grant more
+    -- permissions than those that are defined in the permissions policy of the
+    -- IAM user. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+    -- in the /IAM User Guide/.
+    --
+    -- The resulting credentials can be used to access a resource that has a
+    -- resource-based policy. If that policy specifically references the
+    -- federated user session in the @Principal@ element of the policy, the
+    -- session has the permissions allowed by the policy. These permissions are
+    -- granted in addition to the permissions that are granted by the session
+    -- policies.
+    --
+    -- The plaintext that you use for both inline and managed session policies
+    -- can\'t exceed 2,048 characters. The JSON policy characters can be any
+    -- ASCII character from the space character to the end of the valid
+    -- character list (\\u0020 through \\u00FF). It can also include the tab
+    -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    policy :: Prelude.Maybe Prelude.Text,
+    -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you
+    -- want to use as a managed session policy. The policies must exist in the
+    -- same account as the IAM user that is requesting federated access.
+    --
+    -- You must pass an inline or managed
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy>
+    -- to this operation. You can pass a single JSON policy document to use as
+    -- an inline session policy. You can also specify up to 10 managed policy
+    -- Amazon Resource Names (ARNs) to use as managed session policies. The
+    -- plaintext that you use for both inline and managed session policies
+    -- can\'t exceed 2,048 characters. You can provide up to 10 managed policy
+    -- ARNs. For more information about ARNs, see
+    -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+    -- in the Amazon Web Services General Reference.
+    --
+    -- This parameter is optional. However, if you do not pass any session
+    -- policies, then the resulting federated user session has no permissions.
+    --
+    -- When you pass session policies, the session permissions are the
+    -- intersection of the IAM user policies and the session policies that you
+    -- pass. This gives you a way to further restrict the permissions for a
+    -- federated user. You cannot use session policies to grant more
+    -- permissions than those that are defined in the permissions policy of the
+    -- IAM user. For more information, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+    -- in the /IAM User Guide/.
+    --
+    -- The resulting credentials can be used to access a resource that has a
+    -- resource-based policy. If that policy specifically references the
+    -- federated user session in the @Principal@ element of the policy, the
+    -- session has the permissions allowed by the policy. These permissions are
+    -- granted in addition to the permissions that are granted by the session
+    -- policies.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    policyArns :: Prelude.Maybe [PolicyDescriptorType],
+    -- | A list of session tags. Each session tag consists of a key name and an
+    -- associated value. For more information about session tags, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS>
+    -- in the /IAM User Guide/.
+    --
+    -- This parameter is optional. You can pass up to 50 session tags. The
+    -- plaintext session tag keys can’t exceed 128 characters and the values
+    -- can’t exceed 256 characters. For these and additional limits, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+    -- in the /IAM User Guide/.
+    --
+    -- An Amazon Web Services conversion compresses the passed inline session
+    -- policy, managed policy ARNs, and session tags into a packed binary
+    -- format that has a separate limit. Your request can fail for this limit
+    -- even if your plaintext meets the other requirements. The
+    -- @PackedPolicySize@ response element indicates by percentage how close
+    -- the policies and tags for your request are to the upper size limit.
+    --
+    -- You can pass a session tag with the same key as a tag that is already
+    -- attached to the user you are federating. When you do, session tags
+    -- override a user tag with the same key.
+    --
+    -- Tag key–value pairs are not case sensitive, but case is preserved. This
+    -- means that you cannot have separate @Department@ and @department@ tag
+    -- keys. Assume that the role has the @Department@=@Marketing@ tag and you
+    -- pass the @department@=@engineering@ session tag. @Department@ and
+    -- @department@ are not saved as separate tags, and the session tag passed
+    -- in the request takes precedence over the role tag.
+    tags :: Prelude.Maybe [Tag],
+    -- | The name of the federated user. The name is used as an identifier for
+    -- the temporary security credentials (such as @Bob@). For example, you can
+    -- reference the federated user name in a resource-based policy, such as in
+    -- an Amazon S3 bucket policy.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@-
+    name :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'GetFederationToken' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'durationSeconds', 'getFederationToken_durationSeconds' - The duration, in seconds, that the session should last. Acceptable
+-- durations for federation sessions range from 900 seconds (15 minutes) to
+-- 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
+-- default. Sessions obtained using Amazon Web Services account root user
+-- credentials are restricted to a maximum of 3,600 seconds (one hour). If
+-- the specified duration is longer than one hour, the session obtained by
+-- using root user credentials defaults to one hour.
+--
+-- 'policy', 'getFederationToken_policy' - An IAM policy in JSON format that you want to use as an inline session
+-- policy.
+--
+-- You must pass an inline or managed
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy>
+-- to this operation. You can pass a single JSON policy document to use as
+-- an inline session policy. You can also specify up to 10 managed policy
+-- Amazon Resource Names (ARNs) to use as managed session policies.
+--
+-- This parameter is optional. However, if you do not pass any session
+-- policies, then the resulting federated user session has no permissions.
+--
+-- When you pass session policies, the session permissions are the
+-- intersection of the IAM user policies and the session policies that you
+-- pass. This gives you a way to further restrict the permissions for a
+-- federated user. You cannot use session policies to grant more
+-- permissions than those that are defined in the permissions policy of the
+-- IAM user. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The resulting credentials can be used to access a resource that has a
+-- resource-based policy. If that policy specifically references the
+-- federated user session in the @Principal@ element of the policy, the
+-- session has the permissions allowed by the policy. These permissions are
+-- granted in addition to the permissions that are granted by the session
+-- policies.
+--
+-- The plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. The JSON policy characters can be any
+-- ASCII character from the space character to the end of the valid
+-- character list (\\u0020 through \\u00FF). It can also include the tab
+-- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- 'policyArns', 'getFederationToken_policyArns' - The Amazon Resource Names (ARNs) of the IAM managed policies that you
+-- want to use as a managed session policy. The policies must exist in the
+-- same account as the IAM user that is requesting federated access.
+--
+-- You must pass an inline or managed
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy>
+-- to this operation. You can pass a single JSON policy document to use as
+-- an inline session policy. You can also specify up to 10 managed policy
+-- Amazon Resource Names (ARNs) to use as managed session policies. The
+-- plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. You can provide up to 10 managed policy
+-- ARNs. For more information about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the Amazon Web Services General Reference.
+--
+-- This parameter is optional. However, if you do not pass any session
+-- policies, then the resulting federated user session has no permissions.
+--
+-- When you pass session policies, the session permissions are the
+-- intersection of the IAM user policies and the session policies that you
+-- pass. This gives you a way to further restrict the permissions for a
+-- federated user. You cannot use session policies to grant more
+-- permissions than those that are defined in the permissions policy of the
+-- IAM user. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The resulting credentials can be used to access a resource that has a
+-- resource-based policy. If that policy specifically references the
+-- federated user session in the @Principal@ element of the policy, the
+-- session has the permissions allowed by the policy. These permissions are
+-- granted in addition to the permissions that are granted by the session
+-- policies.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- 'tags', 'getFederationToken_tags' - A list of session tags. Each session tag consists of a key name and an
+-- associated value. For more information about session tags, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS>
+-- in the /IAM User Guide/.
+--
+-- This parameter is optional. You can pass up to 50 session tags. The
+-- plaintext session tag keys can’t exceed 128 characters and the values
+-- can’t exceed 256 characters. For these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- You can pass a session tag with the same key as a tag that is already
+-- attached to the user you are federating. When you do, session tags
+-- override a user tag with the same key.
+--
+-- Tag key–value pairs are not case sensitive, but case is preserved. This
+-- means that you cannot have separate @Department@ and @department@ tag
+-- keys. Assume that the role has the @Department@=@Marketing@ tag and you
+-- pass the @department@=@engineering@ session tag. @Department@ and
+-- @department@ are not saved as separate tags, and the session tag passed
+-- in the request takes precedence over the role tag.
+--
+-- 'name', 'getFederationToken_name' - The name of the federated user. The name is used as an identifier for
+-- the temporary security credentials (such as @Bob@). For example, you can
+-- reference the federated user name in a resource-based policy, such as in
+-- an Amazon S3 bucket policy.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+newGetFederationToken ::
+  -- | 'name'
+  Prelude.Text ->
+  GetFederationToken
+newGetFederationToken pName_ =
+  GetFederationToken'
+    { durationSeconds =
+        Prelude.Nothing,
+      policy = Prelude.Nothing,
+      policyArns = Prelude.Nothing,
+      tags = Prelude.Nothing,
+      name = pName_
+    }
+
+-- | The duration, in seconds, that the session should last. Acceptable
+-- durations for federation sessions range from 900 seconds (15 minutes) to
+-- 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
+-- default. Sessions obtained using Amazon Web Services account root user
+-- credentials are restricted to a maximum of 3,600 seconds (one hour). If
+-- the specified duration is longer than one hour, the session obtained by
+-- using root user credentials defaults to one hour.
+getFederationToken_durationSeconds :: Lens.Lens' GetFederationToken (Prelude.Maybe Prelude.Natural)
+getFederationToken_durationSeconds = Lens.lens (\GetFederationToken' {durationSeconds} -> durationSeconds) (\s@GetFederationToken' {} a -> s {durationSeconds = a} :: GetFederationToken)
+
+-- | An IAM policy in JSON format that you want to use as an inline session
+-- policy.
+--
+-- You must pass an inline or managed
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy>
+-- to this operation. You can pass a single JSON policy document to use as
+-- an inline session policy. You can also specify up to 10 managed policy
+-- Amazon Resource Names (ARNs) to use as managed session policies.
+--
+-- This parameter is optional. However, if you do not pass any session
+-- policies, then the resulting federated user session has no permissions.
+--
+-- When you pass session policies, the session permissions are the
+-- intersection of the IAM user policies and the session policies that you
+-- pass. This gives you a way to further restrict the permissions for a
+-- federated user. You cannot use session policies to grant more
+-- permissions than those that are defined in the permissions policy of the
+-- IAM user. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The resulting credentials can be used to access a resource that has a
+-- resource-based policy. If that policy specifically references the
+-- federated user session in the @Principal@ element of the policy, the
+-- session has the permissions allowed by the policy. These permissions are
+-- granted in addition to the permissions that are granted by the session
+-- policies.
+--
+-- The plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. The JSON policy characters can be any
+-- ASCII character from the space character to the end of the valid
+-- character list (\\u0020 through \\u00FF). It can also include the tab
+-- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+getFederationToken_policy :: Lens.Lens' GetFederationToken (Prelude.Maybe Prelude.Text)
+getFederationToken_policy = Lens.lens (\GetFederationToken' {policy} -> policy) (\s@GetFederationToken' {} a -> s {policy = a} :: GetFederationToken)
+
+-- | The Amazon Resource Names (ARNs) of the IAM managed policies that you
+-- want to use as a managed session policy. The policies must exist in the
+-- same account as the IAM user that is requesting federated access.
+--
+-- You must pass an inline or managed
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy>
+-- to this operation. You can pass a single JSON policy document to use as
+-- an inline session policy. You can also specify up to 10 managed policy
+-- Amazon Resource Names (ARNs) to use as managed session policies. The
+-- plaintext that you use for both inline and managed session policies
+-- can\'t exceed 2,048 characters. You can provide up to 10 managed policy
+-- ARNs. For more information about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the Amazon Web Services General Reference.
+--
+-- This parameter is optional. However, if you do not pass any session
+-- policies, then the resulting federated user session has no permissions.
+--
+-- When you pass session policies, the session permissions are the
+-- intersection of the IAM user policies and the session policies that you
+-- pass. This gives you a way to further restrict the permissions for a
+-- federated user. You cannot use session policies to grant more
+-- permissions than those that are defined in the permissions policy of the
+-- IAM user. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies>
+-- in the /IAM User Guide/.
+--
+-- The resulting credentials can be used to access a resource that has a
+-- resource-based policy. If that policy specifically references the
+-- federated user session in the @Principal@ element of the policy, the
+-- session has the permissions allowed by the policy. These permissions are
+-- granted in addition to the permissions that are granted by the session
+-- policies.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+getFederationToken_policyArns :: Lens.Lens' GetFederationToken (Prelude.Maybe [PolicyDescriptorType])
+getFederationToken_policyArns = Lens.lens (\GetFederationToken' {policyArns} -> policyArns) (\s@GetFederationToken' {} a -> s {policyArns = a} :: GetFederationToken) Prelude.. Lens.mapping Lens.coerced
+
+-- | A list of session tags. Each session tag consists of a key name and an
+-- associated value. For more information about session tags, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS>
+-- in the /IAM User Guide/.
+--
+-- This parameter is optional. You can pass up to 50 session tags. The
+-- plaintext session tag keys can’t exceed 128 characters and the values
+-- can’t exceed 256 characters. For these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+--
+-- An Amazon Web Services conversion compresses the passed inline session
+-- policy, managed policy ARNs, and session tags into a packed binary
+-- format that has a separate limit. Your request can fail for this limit
+-- even if your plaintext meets the other requirements. The
+-- @PackedPolicySize@ response element indicates by percentage how close
+-- the policies and tags for your request are to the upper size limit.
+--
+-- You can pass a session tag with the same key as a tag that is already
+-- attached to the user you are federating. When you do, session tags
+-- override a user tag with the same key.
+--
+-- Tag key–value pairs are not case sensitive, but case is preserved. This
+-- means that you cannot have separate @Department@ and @department@ tag
+-- keys. Assume that the role has the @Department@=@Marketing@ tag and you
+-- pass the @department@=@engineering@ session tag. @Department@ and
+-- @department@ are not saved as separate tags, and the session tag passed
+-- in the request takes precedence over the role tag.
+getFederationToken_tags :: Lens.Lens' GetFederationToken (Prelude.Maybe [Tag])
+getFederationToken_tags = Lens.lens (\GetFederationToken' {tags} -> tags) (\s@GetFederationToken' {} a -> s {tags = a} :: GetFederationToken) Prelude.. Lens.mapping Lens.coerced
+
+-- | The name of the federated user. The name is used as an identifier for
+-- the temporary security credentials (such as @Bob@). For example, you can
+-- reference the federated user name in a resource-based policy, such as in
+-- an Amazon S3 bucket policy.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@-
+getFederationToken_name :: Lens.Lens' GetFederationToken Prelude.Text
+getFederationToken_name = Lens.lens (\GetFederationToken' {name} -> name) (\s@GetFederationToken' {} a -> s {name = a} :: GetFederationToken)
+
+instance Core.AWSRequest GetFederationToken where
+  type
+    AWSResponse GetFederationToken =
+      GetFederationTokenResponse
+  request overrides =
+    Request.postQuery (overrides defaultService)
+  response =
+    Response.receiveXMLWrapper
+      "GetFederationTokenResult"
+      ( \s h x ->
+          GetFederationTokenResponse'
+            Prelude.<$> (x Data..@? "Credentials")
+            Prelude.<*> (x Data..@? "FederatedUser")
+            Prelude.<*> (x Data..@? "PackedPolicySize")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable GetFederationToken where
+  hashWithSalt _salt GetFederationToken' {..} =
+    _salt
+      `Prelude.hashWithSalt` durationSeconds
+      `Prelude.hashWithSalt` policy
+      `Prelude.hashWithSalt` policyArns
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` name
+
+instance Prelude.NFData GetFederationToken where
+  rnf GetFederationToken' {..} =
+    Prelude.rnf durationSeconds
+      `Prelude.seq` Prelude.rnf policy
+      `Prelude.seq` Prelude.rnf policyArns
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf name
+
+instance Data.ToHeaders GetFederationToken where
+  toHeaders = Prelude.const Prelude.mempty
+
+instance Data.ToPath GetFederationToken where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery GetFederationToken where
+  toQuery GetFederationToken' {..} =
+    Prelude.mconcat
+      [ "Action"
+          Data.=: ("GetFederationToken" :: Prelude.ByteString),
+        "Version"
+          Data.=: ("2011-06-15" :: Prelude.ByteString),
+        "DurationSeconds" Data.=: durationSeconds,
+        "Policy" Data.=: policy,
+        "PolicyArns"
+          Data.=: Data.toQuery
+            (Data.toQueryList "member" Prelude.<$> policyArns),
+        "Tags"
+          Data.=: Data.toQuery
+            (Data.toQueryList "member" Prelude.<$> tags),
+        "Name" Data.=: name
+      ]
+
+-- | Contains the response to a successful GetFederationToken request,
+-- including temporary Amazon Web Services credentials that can be used to
+-- make Amazon Web Services requests.
+--
+-- /See:/ 'newGetFederationTokenResponse' smart constructor.
+data GetFederationTokenResponse = GetFederationTokenResponse'
+  { -- | The temporary security credentials, which include an access key ID, a
+    -- secret access key, and a security (or session) token.
+    --
+    -- The size of the security token that STS API operations return is not
+    -- fixed. We strongly recommend that you make no assumptions about the
+    -- maximum size.
+    credentials :: Prelude.Maybe Core.AuthEnv,
+    -- | Identifiers for the federated user associated with the credentials (such
+    -- as @arn:aws:sts::123456789012:federated-user\/Bob@ or
+    -- @123456789012:Bob@). You can use the federated user\'s ARN in your
+    -- resource-based policies, such as an Amazon S3 bucket policy.
+    federatedUser :: Prelude.Maybe FederatedUser,
+    -- | A percentage value that indicates the packed size of the session
+    -- policies and session tags combined passed in the request. The request
+    -- fails if the packed size is greater than 100 percent, which means the
+    -- policies and tags exceeded the allowed space.
+    packedPolicySize :: Prelude.Maybe Prelude.Natural,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'GetFederationTokenResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'credentials', 'getFederationTokenResponse_credentials' - The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+--
+-- 'federatedUser', 'getFederationTokenResponse_federatedUser' - Identifiers for the federated user associated with the credentials (such
+-- as @arn:aws:sts::123456789012:federated-user\/Bob@ or
+-- @123456789012:Bob@). You can use the federated user\'s ARN in your
+-- resource-based policies, such as an Amazon S3 bucket policy.
+--
+-- 'packedPolicySize', 'getFederationTokenResponse_packedPolicySize' - A percentage value that indicates the packed size of the session
+-- policies and session tags combined passed in the request. The request
+-- fails if the packed size is greater than 100 percent, which means the
+-- policies and tags exceeded the allowed space.
+--
+-- 'httpStatus', 'getFederationTokenResponse_httpStatus' - The response's http status code.
+newGetFederationTokenResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  GetFederationTokenResponse
+newGetFederationTokenResponse pHttpStatus_ =
+  GetFederationTokenResponse'
+    { credentials =
+        Prelude.Nothing,
+      federatedUser = Prelude.Nothing,
+      packedPolicySize = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+getFederationTokenResponse_credentials :: Lens.Lens' GetFederationTokenResponse (Prelude.Maybe Core.AuthEnv)
+getFederationTokenResponse_credentials = Lens.lens (\GetFederationTokenResponse' {credentials} -> credentials) (\s@GetFederationTokenResponse' {} a -> s {credentials = a} :: GetFederationTokenResponse)
+
+-- | Identifiers for the federated user associated with the credentials (such
+-- as @arn:aws:sts::123456789012:federated-user\/Bob@ or
+-- @123456789012:Bob@). You can use the federated user\'s ARN in your
+-- resource-based policies, such as an Amazon S3 bucket policy.
+getFederationTokenResponse_federatedUser :: Lens.Lens' GetFederationTokenResponse (Prelude.Maybe FederatedUser)
+getFederationTokenResponse_federatedUser = Lens.lens (\GetFederationTokenResponse' {federatedUser} -> federatedUser) (\s@GetFederationTokenResponse' {} a -> s {federatedUser = a} :: GetFederationTokenResponse)
+
+-- | A percentage value that indicates the packed size of the session
+-- policies and session tags combined passed in the request. The request
+-- fails if the packed size is greater than 100 percent, which means the
+-- policies and tags exceeded the allowed space.
+getFederationTokenResponse_packedPolicySize :: Lens.Lens' GetFederationTokenResponse (Prelude.Maybe Prelude.Natural)
+getFederationTokenResponse_packedPolicySize = Lens.lens (\GetFederationTokenResponse' {packedPolicySize} -> packedPolicySize) (\s@GetFederationTokenResponse' {} a -> s {packedPolicySize = a} :: GetFederationTokenResponse)
+
+-- | The response's http status code.
+getFederationTokenResponse_httpStatus :: Lens.Lens' GetFederationTokenResponse Prelude.Int
+getFederationTokenResponse_httpStatus = Lens.lens (\GetFederationTokenResponse' {httpStatus} -> httpStatus) (\s@GetFederationTokenResponse' {} a -> s {httpStatus = a} :: GetFederationTokenResponse)
+
+instance Prelude.NFData GetFederationTokenResponse where
+  rnf GetFederationTokenResponse' {..} =
+    Prelude.rnf credentials
+      `Prelude.seq` Prelude.rnf federatedUser
+      `Prelude.seq` Prelude.rnf packedPolicySize
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/STS/GetSessionToken.hs b/gen/Amazonka/STS/GetSessionToken.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/GetSessionToken.hs
@@ -0,0 +1,348 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.GetSessionToken
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Returns a set of temporary credentials for an Amazon Web Services
+-- account or IAM user. The credentials consist of an access key ID, a
+-- secret access key, and a security token. Typically, you use
+-- @GetSessionToken@ if you want to use MFA to protect programmatic calls
+-- to specific Amazon Web Services API operations like Amazon EC2
+-- @StopInstances@. MFA-enabled IAM users would need to call
+-- @GetSessionToken@ and submit an MFA code that is associated with their
+-- MFA device. Using the temporary security credentials that are returned
+-- from the call, IAM users can then make programmatic calls to API
+-- operations that require MFA authentication. If you do not supply a
+-- correct MFA code, then the API returns an access denied error. For a
+-- comparison of @GetSessionToken@ with the other API operations that
+-- produce temporary credentials, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials>
+-- and
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the Amazon Web Services STS API operations>
+-- in the /IAM User Guide/.
+--
+-- No permissions are required for users to perform this operation. The
+-- purpose of the @sts:GetSessionToken@ operation is to authenticate the
+-- user using MFA. You cannot use policies to control authentication
+-- operations. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html Permissions for GetSessionToken>
+-- in the /IAM User Guide/.
+--
+-- __Session Duration__
+--
+-- The @GetSessionToken@ operation must be called by using the long-term
+-- Amazon Web Services security credentials of the Amazon Web Services
+-- account root user or an IAM user. Credentials that are created by IAM
+-- users are valid for the duration that you specify. This duration can
+-- range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds
+-- (36 hours), with a default of 43,200 seconds (12 hours). Credentials
+-- based on account credentials can range from 900 seconds (15 minutes) up
+-- to 3,600 seconds (1 hour), with a default of 1 hour.
+--
+-- __Permissions__
+--
+-- The temporary security credentials created by @GetSessionToken@ can be
+-- used to make API calls to any Amazon Web Services service with the
+-- following exceptions:
+--
+-- -   You cannot call any IAM API operations unless MFA authentication
+--     information is included in the request.
+--
+-- -   You cannot call any STS API /except/ @AssumeRole@ or
+--     @GetCallerIdentity@.
+--
+-- We recommend that you do not call @GetSessionToken@ with Amazon Web
+-- Services account root user credentials. Instead, follow our
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users best practices>
+-- by creating one or more IAM users, giving them the necessary
+-- permissions, and using IAM users for everyday interaction with Amazon
+-- Web Services.
+--
+-- The credentials that are returned by @GetSessionToken@ are based on
+-- permissions associated with the user whose credentials were used to call
+-- the operation. If @GetSessionToken@ is called using Amazon Web Services
+-- account root user credentials, the temporary credentials have root user
+-- permissions. Similarly, if @GetSessionToken@ is called using the
+-- credentials of an IAM user, the temporary credentials have the same
+-- permissions as the IAM user.
+--
+-- For more information about using @GetSessionToken@ to create temporary
+-- credentials, go to
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken Temporary Credentials for Users in Untrusted Environments>
+-- in the /IAM User Guide/.
+module Amazonka.STS.GetSessionToken
+  ( -- * Creating a Request
+    GetSessionToken (..),
+    newGetSessionToken,
+
+    -- * Request Lenses
+    getSessionToken_durationSeconds,
+    getSessionToken_serialNumber,
+    getSessionToken_tokenCode,
+
+    -- * Destructuring the Response
+    GetSessionTokenResponse (..),
+    newGetSessionTokenResponse,
+
+    -- * Response Lenses
+    getSessionTokenResponse_credentials,
+    getSessionTokenResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+import Amazonka.STS.Types
+
+-- | /See:/ 'newGetSessionToken' smart constructor.
+data GetSessionToken = GetSessionToken'
+  { -- | The duration, in seconds, that the credentials should remain valid.
+    -- Acceptable durations for IAM user sessions range from 900 seconds (15
+    -- minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
+    -- as the default. Sessions for Amazon Web Services account owners are
+    -- restricted to a maximum of 3,600 seconds (one hour). If the duration is
+    -- longer than one hour, the session for Amazon Web Services account owners
+    -- defaults to one hour.
+    durationSeconds :: Prelude.Maybe Prelude.Natural,
+    -- | The identification number of the MFA device that is associated with the
+    -- IAM user who is making the @GetSessionToken@ call. Specify this value if
+    -- the IAM user has a policy that requires MFA authentication. The value is
+    -- either the serial number for a hardware device (such as @GAHT12345678@)
+    -- or an Amazon Resource Name (ARN) for a virtual device (such as
+    -- @arn:aws:iam::123456789012:mfa\/user@). You can find the device for an
+    -- IAM user by going to the Amazon Web Services Management Console and
+    -- viewing the user\'s security credentials.
+    --
+    -- The regex used to validate this parameter is a string of characters
+    -- consisting of upper- and lower-case alphanumeric characters with no
+    -- spaces. You can also include underscores or any of the following
+    -- characters: =,.\@:\/-
+    serialNumber :: Prelude.Maybe Prelude.Text,
+    -- | The value provided by the MFA device, if MFA is required. If any policy
+    -- requires the IAM user to submit an MFA code, specify this value. If MFA
+    -- authentication is required, the user must provide a code when requesting
+    -- a set of temporary security credentials. A user who fails to provide the
+    -- code receives an \"access denied\" response when requesting resources
+    -- that require MFA authentication.
+    --
+    -- The format for this parameter, as described by its regex pattern, is a
+    -- sequence of six numeric digits.
+    tokenCode :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'GetSessionToken' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'durationSeconds', 'getSessionToken_durationSeconds' - The duration, in seconds, that the credentials should remain valid.
+-- Acceptable durations for IAM user sessions range from 900 seconds (15
+-- minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
+-- as the default. Sessions for Amazon Web Services account owners are
+-- restricted to a maximum of 3,600 seconds (one hour). If the duration is
+-- longer than one hour, the session for Amazon Web Services account owners
+-- defaults to one hour.
+--
+-- 'serialNumber', 'getSessionToken_serialNumber' - The identification number of the MFA device that is associated with the
+-- IAM user who is making the @GetSessionToken@ call. Specify this value if
+-- the IAM user has a policy that requires MFA authentication. The value is
+-- either the serial number for a hardware device (such as @GAHT12345678@)
+-- or an Amazon Resource Name (ARN) for a virtual device (such as
+-- @arn:aws:iam::123456789012:mfa\/user@). You can find the device for an
+-- IAM user by going to the Amazon Web Services Management Console and
+-- viewing the user\'s security credentials.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@:\/-
+--
+-- 'tokenCode', 'getSessionToken_tokenCode' - The value provided by the MFA device, if MFA is required. If any policy
+-- requires the IAM user to submit an MFA code, specify this value. If MFA
+-- authentication is required, the user must provide a code when requesting
+-- a set of temporary security credentials. A user who fails to provide the
+-- code receives an \"access denied\" response when requesting resources
+-- that require MFA authentication.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- sequence of six numeric digits.
+newGetSessionToken ::
+  GetSessionToken
+newGetSessionToken =
+  GetSessionToken'
+    { durationSeconds = Prelude.Nothing,
+      serialNumber = Prelude.Nothing,
+      tokenCode = Prelude.Nothing
+    }
+
+-- | The duration, in seconds, that the credentials should remain valid.
+-- Acceptable durations for IAM user sessions range from 900 seconds (15
+-- minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
+-- as the default. Sessions for Amazon Web Services account owners are
+-- restricted to a maximum of 3,600 seconds (one hour). If the duration is
+-- longer than one hour, the session for Amazon Web Services account owners
+-- defaults to one hour.
+getSessionToken_durationSeconds :: Lens.Lens' GetSessionToken (Prelude.Maybe Prelude.Natural)
+getSessionToken_durationSeconds = Lens.lens (\GetSessionToken' {durationSeconds} -> durationSeconds) (\s@GetSessionToken' {} a -> s {durationSeconds = a} :: GetSessionToken)
+
+-- | The identification number of the MFA device that is associated with the
+-- IAM user who is making the @GetSessionToken@ call. Specify this value if
+-- the IAM user has a policy that requires MFA authentication. The value is
+-- either the serial number for a hardware device (such as @GAHT12345678@)
+-- or an Amazon Resource Name (ARN) for a virtual device (such as
+-- @arn:aws:iam::123456789012:mfa\/user@). You can find the device for an
+-- IAM user by going to the Amazon Web Services Management Console and
+-- viewing the user\'s security credentials.
+--
+-- The regex used to validate this parameter is a string of characters
+-- consisting of upper- and lower-case alphanumeric characters with no
+-- spaces. You can also include underscores or any of the following
+-- characters: =,.\@:\/-
+getSessionToken_serialNumber :: Lens.Lens' GetSessionToken (Prelude.Maybe Prelude.Text)
+getSessionToken_serialNumber = Lens.lens (\GetSessionToken' {serialNumber} -> serialNumber) (\s@GetSessionToken' {} a -> s {serialNumber = a} :: GetSessionToken)
+
+-- | The value provided by the MFA device, if MFA is required. If any policy
+-- requires the IAM user to submit an MFA code, specify this value. If MFA
+-- authentication is required, the user must provide a code when requesting
+-- a set of temporary security credentials. A user who fails to provide the
+-- code receives an \"access denied\" response when requesting resources
+-- that require MFA authentication.
+--
+-- The format for this parameter, as described by its regex pattern, is a
+-- sequence of six numeric digits.
+getSessionToken_tokenCode :: Lens.Lens' GetSessionToken (Prelude.Maybe Prelude.Text)
+getSessionToken_tokenCode = Lens.lens (\GetSessionToken' {tokenCode} -> tokenCode) (\s@GetSessionToken' {} a -> s {tokenCode = a} :: GetSessionToken)
+
+instance Core.AWSRequest GetSessionToken where
+  type
+    AWSResponse GetSessionToken =
+      GetSessionTokenResponse
+  request overrides =
+    Request.postQuery (overrides defaultService)
+  response =
+    Response.receiveXMLWrapper
+      "GetSessionTokenResult"
+      ( \s h x ->
+          GetSessionTokenResponse'
+            Prelude.<$> (x Data..@? "Credentials")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable GetSessionToken where
+  hashWithSalt _salt GetSessionToken' {..} =
+    _salt
+      `Prelude.hashWithSalt` durationSeconds
+      `Prelude.hashWithSalt` serialNumber
+      `Prelude.hashWithSalt` tokenCode
+
+instance Prelude.NFData GetSessionToken where
+  rnf GetSessionToken' {..} =
+    Prelude.rnf durationSeconds
+      `Prelude.seq` Prelude.rnf serialNumber
+      `Prelude.seq` Prelude.rnf tokenCode
+
+instance Data.ToHeaders GetSessionToken where
+  toHeaders = Prelude.const Prelude.mempty
+
+instance Data.ToPath GetSessionToken where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery GetSessionToken where
+  toQuery GetSessionToken' {..} =
+    Prelude.mconcat
+      [ "Action"
+          Data.=: ("GetSessionToken" :: Prelude.ByteString),
+        "Version"
+          Data.=: ("2011-06-15" :: Prelude.ByteString),
+        "DurationSeconds" Data.=: durationSeconds,
+        "SerialNumber" Data.=: serialNumber,
+        "TokenCode" Data.=: tokenCode
+      ]
+
+-- | Contains the response to a successful GetSessionToken request, including
+-- temporary Amazon Web Services credentials that can be used to make
+-- Amazon Web Services requests.
+--
+-- /See:/ 'newGetSessionTokenResponse' smart constructor.
+data GetSessionTokenResponse = GetSessionTokenResponse'
+  { -- | The temporary security credentials, which include an access key ID, a
+    -- secret access key, and a security (or session) token.
+    --
+    -- The size of the security token that STS API operations return is not
+    -- fixed. We strongly recommend that you make no assumptions about the
+    -- maximum size.
+    credentials :: Prelude.Maybe Core.AuthEnv,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'GetSessionTokenResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'credentials', 'getSessionTokenResponse_credentials' - The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+--
+-- 'httpStatus', 'getSessionTokenResponse_httpStatus' - The response's http status code.
+newGetSessionTokenResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  GetSessionTokenResponse
+newGetSessionTokenResponse pHttpStatus_ =
+  GetSessionTokenResponse'
+    { credentials =
+        Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+--
+-- The size of the security token that STS API operations return is not
+-- fixed. We strongly recommend that you make no assumptions about the
+-- maximum size.
+getSessionTokenResponse_credentials :: Lens.Lens' GetSessionTokenResponse (Prelude.Maybe Core.AuthEnv)
+getSessionTokenResponse_credentials = Lens.lens (\GetSessionTokenResponse' {credentials} -> credentials) (\s@GetSessionTokenResponse' {} a -> s {credentials = a} :: GetSessionTokenResponse)
+
+-- | The response's http status code.
+getSessionTokenResponse_httpStatus :: Lens.Lens' GetSessionTokenResponse Prelude.Int
+getSessionTokenResponse_httpStatus = Lens.lens (\GetSessionTokenResponse' {httpStatus} -> httpStatus) (\s@GetSessionTokenResponse' {} a -> s {httpStatus = a} :: GetSessionTokenResponse)
+
+instance Prelude.NFData GetSessionTokenResponse where
+  rnf GetSessionTokenResponse' {..} =
+    Prelude.rnf credentials
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/STS/Lens.hs b/gen/Amazonka/STS/Lens.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/Lens.hs
@@ -0,0 +1,134 @@
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.Lens
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.STS.Lens
+  ( -- * Operations
+
+    -- ** AssumeRole
+    assumeRole_durationSeconds,
+    assumeRole_externalId,
+    assumeRole_policy,
+    assumeRole_policyArns,
+    assumeRole_serialNumber,
+    assumeRole_sourceIdentity,
+    assumeRole_tags,
+    assumeRole_tokenCode,
+    assumeRole_transitiveTagKeys,
+    assumeRole_roleArn,
+    assumeRole_roleSessionName,
+    assumeRoleResponse_assumedRoleUser,
+    assumeRoleResponse_packedPolicySize,
+    assumeRoleResponse_sourceIdentity,
+    assumeRoleResponse_httpStatus,
+    assumeRoleResponse_credentials,
+
+    -- ** AssumeRoleWithSAML
+    assumeRoleWithSAML_durationSeconds,
+    assumeRoleWithSAML_policy,
+    assumeRoleWithSAML_policyArns,
+    assumeRoleWithSAML_roleArn,
+    assumeRoleWithSAML_principalArn,
+    assumeRoleWithSAML_sAMLAssertion,
+    assumeRoleWithSAMLResponse_assumedRoleUser,
+    assumeRoleWithSAMLResponse_audience,
+    assumeRoleWithSAMLResponse_credentials,
+    assumeRoleWithSAMLResponse_issuer,
+    assumeRoleWithSAMLResponse_nameQualifier,
+    assumeRoleWithSAMLResponse_packedPolicySize,
+    assumeRoleWithSAMLResponse_sourceIdentity,
+    assumeRoleWithSAMLResponse_subject,
+    assumeRoleWithSAMLResponse_subjectType,
+    assumeRoleWithSAMLResponse_httpStatus,
+
+    -- ** AssumeRoleWithWebIdentity
+    assumeRoleWithWebIdentity_durationSeconds,
+    assumeRoleWithWebIdentity_policy,
+    assumeRoleWithWebIdentity_policyArns,
+    assumeRoleWithWebIdentity_providerId,
+    assumeRoleWithWebIdentity_roleArn,
+    assumeRoleWithWebIdentity_roleSessionName,
+    assumeRoleWithWebIdentity_webIdentityToken,
+    assumeRoleWithWebIdentityResponse_assumedRoleUser,
+    assumeRoleWithWebIdentityResponse_audience,
+    assumeRoleWithWebIdentityResponse_packedPolicySize,
+    assumeRoleWithWebIdentityResponse_provider,
+    assumeRoleWithWebIdentityResponse_sourceIdentity,
+    assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken,
+    assumeRoleWithWebIdentityResponse_httpStatus,
+    assumeRoleWithWebIdentityResponse_credentials,
+
+    -- ** DecodeAuthorizationMessage
+    decodeAuthorizationMessage_encodedMessage,
+    decodeAuthorizationMessageResponse_decodedMessage,
+    decodeAuthorizationMessageResponse_httpStatus,
+
+    -- ** GetAccessKeyInfo
+    getAccessKeyInfo_accessKeyId,
+    getAccessKeyInfoResponse_account,
+    getAccessKeyInfoResponse_httpStatus,
+
+    -- ** GetCallerIdentity
+    getCallerIdentityResponse_account,
+    getCallerIdentityResponse_arn,
+    getCallerIdentityResponse_userId,
+    getCallerIdentityResponse_httpStatus,
+
+    -- ** GetFederationToken
+    getFederationToken_durationSeconds,
+    getFederationToken_policy,
+    getFederationToken_policyArns,
+    getFederationToken_tags,
+    getFederationToken_name,
+    getFederationTokenResponse_credentials,
+    getFederationTokenResponse_federatedUser,
+    getFederationTokenResponse_packedPolicySize,
+    getFederationTokenResponse_httpStatus,
+
+    -- ** GetSessionToken
+    getSessionToken_durationSeconds,
+    getSessionToken_serialNumber,
+    getSessionToken_tokenCode,
+    getSessionTokenResponse_credentials,
+    getSessionTokenResponse_httpStatus,
+
+    -- * Types
+
+    -- ** AssumedRoleUser
+    assumedRoleUser_assumedRoleId,
+    assumedRoleUser_arn,
+
+    -- ** FederatedUser
+    federatedUser_federatedUserId,
+    federatedUser_arn,
+
+    -- ** PolicyDescriptorType
+    policyDescriptorType_arn,
+
+    -- ** Tag
+    tag_key,
+    tag_value,
+  )
+where
+
+import Amazonka.STS.AssumeRole
+import Amazonka.STS.AssumeRoleWithSAML
+import Amazonka.STS.AssumeRoleWithWebIdentity
+import Amazonka.STS.DecodeAuthorizationMessage
+import Amazonka.STS.GetAccessKeyInfo
+import Amazonka.STS.GetCallerIdentity
+import Amazonka.STS.GetFederationToken
+import Amazonka.STS.GetSessionToken
+import Amazonka.STS.Types.AssumedRoleUser
+import Amazonka.STS.Types.FederatedUser
+import Amazonka.STS.Types.PolicyDescriptorType
+import Amazonka.STS.Types.Tag
diff --git a/gen/Amazonka/STS/Types.hs b/gen/Amazonka/STS/Types.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/Types.hs
@@ -0,0 +1,236 @@
+{-# LANGUAGE DisambiguateRecordFields #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.Types
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.STS.Types
+  ( -- * Service Configuration
+    defaultService,
+
+    -- * Errors
+    _ExpiredTokenException,
+    _IDPCommunicationErrorException,
+    _IDPRejectedClaimException,
+    _InvalidAuthorizationMessageException,
+    _InvalidIdentityTokenException,
+    _MalformedPolicyDocumentException,
+    _PackedPolicyTooLargeException,
+    _RegionDisabledException,
+
+    -- * AssumedRoleUser
+    AssumedRoleUser (..),
+    newAssumedRoleUser,
+    assumedRoleUser_assumedRoleId,
+    assumedRoleUser_arn,
+
+    -- * FederatedUser
+    FederatedUser (..),
+    newFederatedUser,
+    federatedUser_federatedUserId,
+    federatedUser_arn,
+
+    -- * PolicyDescriptorType
+    PolicyDescriptorType (..),
+    newPolicyDescriptorType,
+    policyDescriptorType_arn,
+
+    -- * Tag
+    Tag (..),
+    newTag,
+    tag_key,
+    tag_value,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Prelude as Prelude
+import Amazonka.STS.Types.AssumedRoleUser
+import Amazonka.STS.Types.FederatedUser
+import Amazonka.STS.Types.PolicyDescriptorType
+import Amazonka.STS.Types.Tag
+import qualified Amazonka.Sign.V4 as Sign
+
+-- | API version @2011-06-15@ of the Amazon Security Token Service SDK configuration.
+defaultService :: Core.Service
+defaultService =
+  Core.Service
+    { Core.abbrev = "STS",
+      Core.signer = Sign.v4,
+      Core.endpointPrefix = "sts",
+      Core.signingName = "sts",
+      Core.version = "2011-06-15",
+      Core.s3AddressingStyle = Core.S3AddressingStyleAuto,
+      Core.endpoint = Core.defaultEndpoint defaultService,
+      Core.timeout = Prelude.Just 70,
+      Core.check = Core.statusSuccess,
+      Core.error = Core.parseXMLError "STS",
+      Core.retry = retry
+    }
+  where
+    retry =
+      Core.Exponential
+        { Core.base = 5.0e-2,
+          Core.growth = 2,
+          Core.attempts = 5,
+          Core.check = check
+        }
+    check e
+      | Lens.has (Core.hasStatus 502) e =
+          Prelude.Just "bad_gateway"
+      | Lens.has (Core.hasStatus 504) e =
+          Prelude.Just "gateway_timeout"
+      | Lens.has (Core.hasStatus 500) e =
+          Prelude.Just "general_server_error"
+      | Lens.has
+          ( Core.hasCode "IDPCommunicationError"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "idp_unreachable_error"
+      | Lens.has (Core.hasStatus 509) e =
+          Prelude.Just "limit_exceeded"
+      | Lens.has
+          ( Core.hasCode "RequestThrottledException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "request_throttled_exception"
+      | Lens.has (Core.hasStatus 503) e =
+          Prelude.Just "service_unavailable"
+      | Lens.has
+          ( Core.hasCode "ThrottledException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttled_exception"
+      | Lens.has
+          ( Core.hasCode "Throttling"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttling"
+      | Lens.has
+          ( Core.hasCode "ThrottlingException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttling_exception"
+      | Lens.has
+          ( Core.hasCode
+              "ProvisionedThroughputExceededException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throughput_exceeded"
+      | Lens.has (Core.hasStatus 429) e =
+          Prelude.Just "too_many_requests"
+      | Prelude.otherwise = Prelude.Nothing
+
+-- | The web identity token that was passed is expired or is not valid. Get a
+-- new identity token from the identity provider and then retry the
+-- request.
+_ExpiredTokenException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_ExpiredTokenException =
+  Core._MatchServiceError
+    defaultService
+    "ExpiredTokenException"
+    Prelude.. Core.hasStatus 400
+
+-- | The request could not be fulfilled because the identity provider (IDP)
+-- that was asked to verify the incoming identity token could not be
+-- reached. This is often a transient error caused by network conditions.
+-- Retry the request a limited number of times so that you don\'t exceed
+-- the request rate. If the error persists, the identity provider might be
+-- down or not responding.
+_IDPCommunicationErrorException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_IDPCommunicationErrorException =
+  Core._MatchServiceError
+    defaultService
+    "IDPCommunicationError"
+    Prelude.. Core.hasStatus 400
+
+-- | The identity provider (IdP) reported that authentication failed. This
+-- might be because the claim is invalid.
+--
+-- If this error is returned for the @AssumeRoleWithWebIdentity@ operation,
+-- it can also mean that the claim has expired or has been explicitly
+-- revoked.
+_IDPRejectedClaimException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_IDPRejectedClaimException =
+  Core._MatchServiceError
+    defaultService
+    "IDPRejectedClaim"
+    Prelude.. Core.hasStatus 403
+
+-- | The error returned if the message passed to @DecodeAuthorizationMessage@
+-- was invalid. This can happen if the token contains invalid characters,
+-- such as linebreaks.
+_InvalidAuthorizationMessageException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_InvalidAuthorizationMessageException =
+  Core._MatchServiceError
+    defaultService
+    "InvalidAuthorizationMessageException"
+    Prelude.. Core.hasStatus 400
+
+-- | The web identity token that was passed could not be validated by Amazon
+-- Web Services. Get a new identity token from the identity provider and
+-- then retry the request.
+_InvalidIdentityTokenException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_InvalidIdentityTokenException =
+  Core._MatchServiceError
+    defaultService
+    "InvalidIdentityToken"
+    Prelude.. Core.hasStatus 400
+
+-- | The request was rejected because the policy document was malformed. The
+-- error message describes the specific error.
+_MalformedPolicyDocumentException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_MalformedPolicyDocumentException =
+  Core._MatchServiceError
+    defaultService
+    "MalformedPolicyDocument"
+    Prelude.. Core.hasStatus 400
+
+-- | The request was rejected because the total packed size of the session
+-- policies and session tags combined was too large. An Amazon Web Services
+-- conversion compresses the session policy document, session policy ARNs,
+-- and session tags into a packed binary format that has a separate limit.
+-- The error message indicates by percentage how close the policies and
+-- tags are to the upper size limit. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS>
+-- in the /IAM User Guide/.
+--
+-- You could receive this error even though you meet other defined session
+-- policy and session tag limits. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length IAM and STS Entity Character Limits>
+-- in the /IAM User Guide/.
+_PackedPolicyTooLargeException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_PackedPolicyTooLargeException =
+  Core._MatchServiceError
+    defaultService
+    "PackedPolicyTooLarge"
+    Prelude.. Core.hasStatus 400
+
+-- | STS is not activated in the requested region for the account that is
+-- being asked to generate credentials. The account administrator must use
+-- the IAM console to activate STS in that region. For more information,
+-- see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region>
+-- in the /IAM User Guide/.
+_RegionDisabledException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_RegionDisabledException =
+  Core._MatchServiceError
+    defaultService
+    "RegionDisabledException"
+    Prelude.. Core.hasStatus 403
diff --git a/gen/Amazonka/STS/Types/AssumedRoleUser.hs b/gen/Amazonka/STS/Types/AssumedRoleUser.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/Types/AssumedRoleUser.hs
@@ -0,0 +1,103 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.Types.AssumedRoleUser
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.STS.Types.AssumedRoleUser where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | The identifiers for the temporary security credentials that the
+-- operation returns.
+--
+-- /See:/ 'newAssumedRoleUser' smart constructor.
+data AssumedRoleUser = AssumedRoleUser'
+  { -- | A unique identifier that contains the role ID and the role session name
+    -- of the role that is being assumed. The role ID is generated by Amazon
+    -- Web Services when the role is created.
+    assumedRoleId :: Prelude.Text,
+    -- | The ARN of the temporary security credentials that are returned from the
+    -- AssumeRole action. For more information about ARNs and how to use them
+    -- in policies, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>
+    -- in the /IAM User Guide/.
+    arn :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'AssumedRoleUser' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'assumedRoleId', 'assumedRoleUser_assumedRoleId' - A unique identifier that contains the role ID and the role session name
+-- of the role that is being assumed. The role ID is generated by Amazon
+-- Web Services when the role is created.
+--
+-- 'arn', 'assumedRoleUser_arn' - The ARN of the temporary security credentials that are returned from the
+-- AssumeRole action. For more information about ARNs and how to use them
+-- in policies, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>
+-- in the /IAM User Guide/.
+newAssumedRoleUser ::
+  -- | 'assumedRoleId'
+  Prelude.Text ->
+  -- | 'arn'
+  Prelude.Text ->
+  AssumedRoleUser
+newAssumedRoleUser pAssumedRoleId_ pArn_ =
+  AssumedRoleUser'
+    { assumedRoleId = pAssumedRoleId_,
+      arn = pArn_
+    }
+
+-- | A unique identifier that contains the role ID and the role session name
+-- of the role that is being assumed. The role ID is generated by Amazon
+-- Web Services when the role is created.
+assumedRoleUser_assumedRoleId :: Lens.Lens' AssumedRoleUser Prelude.Text
+assumedRoleUser_assumedRoleId = Lens.lens (\AssumedRoleUser' {assumedRoleId} -> assumedRoleId) (\s@AssumedRoleUser' {} a -> s {assumedRoleId = a} :: AssumedRoleUser)
+
+-- | The ARN of the temporary security credentials that are returned from the
+-- AssumeRole action. For more information about ARNs and how to use them
+-- in policies, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>
+-- in the /IAM User Guide/.
+assumedRoleUser_arn :: Lens.Lens' AssumedRoleUser Prelude.Text
+assumedRoleUser_arn = Lens.lens (\AssumedRoleUser' {arn} -> arn) (\s@AssumedRoleUser' {} a -> s {arn = a} :: AssumedRoleUser)
+
+instance Data.FromXML AssumedRoleUser where
+  parseXML x =
+    AssumedRoleUser'
+      Prelude.<$> (x Data..@ "AssumedRoleId")
+      Prelude.<*> (x Data..@ "Arn")
+
+instance Prelude.Hashable AssumedRoleUser where
+  hashWithSalt _salt AssumedRoleUser' {..} =
+    _salt
+      `Prelude.hashWithSalt` assumedRoleId
+      `Prelude.hashWithSalt` arn
+
+instance Prelude.NFData AssumedRoleUser where
+  rnf AssumedRoleUser' {..} =
+    Prelude.rnf assumedRoleId
+      `Prelude.seq` Prelude.rnf arn
diff --git a/gen/Amazonka/STS/Types/FederatedUser.hs b/gen/Amazonka/STS/Types/FederatedUser.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/Types/FederatedUser.hs
@@ -0,0 +1,100 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.Types.FederatedUser
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.STS.Types.FederatedUser where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | Identifiers for the federated user that is associated with the
+-- credentials.
+--
+-- /See:/ 'newFederatedUser' smart constructor.
+data FederatedUser = FederatedUser'
+  { -- | The string that identifies the federated user associated with the
+    -- credentials, similar to the unique ID of an IAM user.
+    federatedUserId :: Prelude.Text,
+    -- | The ARN that specifies the federated user that is associated with the
+    -- credentials. For more information about ARNs and how to use them in
+    -- policies, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>
+    -- in the /IAM User Guide/.
+    arn :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'FederatedUser' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'federatedUserId', 'federatedUser_federatedUserId' - The string that identifies the federated user associated with the
+-- credentials, similar to the unique ID of an IAM user.
+--
+-- 'arn', 'federatedUser_arn' - The ARN that specifies the federated user that is associated with the
+-- credentials. For more information about ARNs and how to use them in
+-- policies, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>
+-- in the /IAM User Guide/.
+newFederatedUser ::
+  -- | 'federatedUserId'
+  Prelude.Text ->
+  -- | 'arn'
+  Prelude.Text ->
+  FederatedUser
+newFederatedUser pFederatedUserId_ pArn_ =
+  FederatedUser'
+    { federatedUserId = pFederatedUserId_,
+      arn = pArn_
+    }
+
+-- | The string that identifies the federated user associated with the
+-- credentials, similar to the unique ID of an IAM user.
+federatedUser_federatedUserId :: Lens.Lens' FederatedUser Prelude.Text
+federatedUser_federatedUserId = Lens.lens (\FederatedUser' {federatedUserId} -> federatedUserId) (\s@FederatedUser' {} a -> s {federatedUserId = a} :: FederatedUser)
+
+-- | The ARN that specifies the federated user that is associated with the
+-- credentials. For more information about ARNs and how to use them in
+-- policies, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>
+-- in the /IAM User Guide/.
+federatedUser_arn :: Lens.Lens' FederatedUser Prelude.Text
+federatedUser_arn = Lens.lens (\FederatedUser' {arn} -> arn) (\s@FederatedUser' {} a -> s {arn = a} :: FederatedUser)
+
+instance Data.FromXML FederatedUser where
+  parseXML x =
+    FederatedUser'
+      Prelude.<$> (x Data..@ "FederatedUserId")
+      Prelude.<*> (x Data..@ "Arn")
+
+instance Prelude.Hashable FederatedUser where
+  hashWithSalt _salt FederatedUser' {..} =
+    _salt
+      `Prelude.hashWithSalt` federatedUserId
+      `Prelude.hashWithSalt` arn
+
+instance Prelude.NFData FederatedUser where
+  rnf FederatedUser' {..} =
+    Prelude.rnf federatedUserId
+      `Prelude.seq` Prelude.rnf arn
diff --git a/gen/Amazonka/STS/Types/PolicyDescriptorType.hs b/gen/Amazonka/STS/Types/PolicyDescriptorType.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/Types/PolicyDescriptorType.hs
@@ -0,0 +1,73 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.Types.PolicyDescriptorType
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.STS.Types.PolicyDescriptorType where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | A reference to the IAM managed policy that is passed as a session policy
+-- for a role session or a federated user session.
+--
+-- /See:/ 'newPolicyDescriptorType' smart constructor.
+data PolicyDescriptorType = PolicyDescriptorType'
+  { -- | The Amazon Resource Name (ARN) of the IAM managed policy to use as a
+    -- session policy for the role. For more information about ARNs, see
+    -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+    -- in the /Amazon Web Services General Reference/.
+    arn :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'PolicyDescriptorType' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'arn', 'policyDescriptorType_arn' - The Amazon Resource Name (ARN) of the IAM managed policy to use as a
+-- session policy for the role. For more information about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the /Amazon Web Services General Reference/.
+newPolicyDescriptorType ::
+  PolicyDescriptorType
+newPolicyDescriptorType =
+  PolicyDescriptorType' {arn = Prelude.Nothing}
+
+-- | The Amazon Resource Name (ARN) of the IAM managed policy to use as a
+-- session policy for the role. For more information about ARNs, see
+-- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces>
+-- in the /Amazon Web Services General Reference/.
+policyDescriptorType_arn :: Lens.Lens' PolicyDescriptorType (Prelude.Maybe Prelude.Text)
+policyDescriptorType_arn = Lens.lens (\PolicyDescriptorType' {arn} -> arn) (\s@PolicyDescriptorType' {} a -> s {arn = a} :: PolicyDescriptorType)
+
+instance Prelude.Hashable PolicyDescriptorType where
+  hashWithSalt _salt PolicyDescriptorType' {..} =
+    _salt `Prelude.hashWithSalt` arn
+
+instance Prelude.NFData PolicyDescriptorType where
+  rnf PolicyDescriptorType' {..} = Prelude.rnf arn
+
+instance Data.ToQuery PolicyDescriptorType where
+  toQuery PolicyDescriptorType' {..} =
+    Prelude.mconcat ["arn" Data.=: arn]
diff --git a/gen/Amazonka/STS/Types/Tag.hs b/gen/Amazonka/STS/Types/Tag.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/Types/Tag.hs
@@ -0,0 +1,113 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.Types.Tag
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.STS.Types.Tag where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | You can pass custom key-value pair attributes when you assume a role or
+-- federate a user. These are called session tags. You can then use the
+-- session tags to control access to resources. For more information, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Tagging Amazon Web Services STS Sessions>
+-- in the /IAM User Guide/.
+--
+-- /See:/ 'newTag' smart constructor.
+data Tag = Tag'
+  { -- | The key for a session tag.
+    --
+    -- You can pass up to 50 session tags. The plain text session tag keys
+    -- can’t exceed 128 characters. For these and additional limits, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+    -- in the /IAM User Guide/.
+    key :: Prelude.Text,
+    -- | The value for a session tag.
+    --
+    -- You can pass up to 50 session tags. The plain text session tag values
+    -- can’t exceed 256 characters. For these and additional limits, see
+    -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+    -- in the /IAM User Guide/.
+    value :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Tag' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'key', 'tag_key' - The key for a session tag.
+--
+-- You can pass up to 50 session tags. The plain text session tag keys
+-- can’t exceed 128 characters. For these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+--
+-- 'value', 'tag_value' - The value for a session tag.
+--
+-- You can pass up to 50 session tags. The plain text session tag values
+-- can’t exceed 256 characters. For these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+newTag ::
+  -- | 'key'
+  Prelude.Text ->
+  -- | 'value'
+  Prelude.Text ->
+  Tag
+newTag pKey_ pValue_ =
+  Tag' {key = pKey_, value = pValue_}
+
+-- | The key for a session tag.
+--
+-- You can pass up to 50 session tags. The plain text session tag keys
+-- can’t exceed 128 characters. For these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+tag_key :: Lens.Lens' Tag Prelude.Text
+tag_key = Lens.lens (\Tag' {key} -> key) (\s@Tag' {} a -> s {key = a} :: Tag)
+
+-- | The value for a session tag.
+--
+-- You can pass up to 50 session tags. The plain text session tag values
+-- can’t exceed 256 characters. For these and additional limits, see
+-- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits>
+-- in the /IAM User Guide/.
+tag_value :: Lens.Lens' Tag Prelude.Text
+tag_value = Lens.lens (\Tag' {value} -> value) (\s@Tag' {} a -> s {value = a} :: Tag)
+
+instance Prelude.Hashable Tag where
+  hashWithSalt _salt Tag' {..} =
+    _salt
+      `Prelude.hashWithSalt` key
+      `Prelude.hashWithSalt` value
+
+instance Prelude.NFData Tag where
+  rnf Tag' {..} =
+    Prelude.rnf key `Prelude.seq` Prelude.rnf value
+
+instance Data.ToQuery Tag where
+  toQuery Tag' {..} =
+    Prelude.mconcat
+      ["Key" Data.=: key, "Value" Data.=: value]
diff --git a/gen/Amazonka/STS/Waiters.hs b/gen/Amazonka/STS/Waiters.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/STS/Waiters.hs
@@ -0,0 +1,24 @@
+{-# LANGUAGE DisambiguateRecordFields #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.STS.Waiters
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.STS.Waiters where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+import Amazonka.STS.Lens
+import Amazonka.STS.Types
diff --git a/gen/Network/AWS/STS.hs b/gen/Network/AWS/STS.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS.hs
+++ /dev/null
@@ -1,152 +0,0 @@
-{-# OPTIONS_GHC -fno-warn-unused-imports    #-}
-{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
--- __AWS Security Token Service__
---
--- The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more detailed information about using this service, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html Temporary Security Credentials> .
---
--- For information about setting up signatures and authorization through the API, go to <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests> in the /AWS General Reference/ . For general information about the Query API, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests> in /Using IAM/ . For information about using security tokens with other AWS products, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html AWS Services That Work with IAM> in the /IAM User Guide/ .
---
--- If you're new to AWS and need additional technical information about a specific AWS product, you can find the product's technical documentation at <http://aws.amazon.com/documentation/ http://aws.amazon.com/documentation/> .
---
--- __Endpoints__
---
--- The AWS Security Token Service (STS) has a default endpoint of https://sts.amazonaws.com that maps to the US East (N. Virginia) region. Additional regions are available and are activated by default. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating and Deactivating AWS STS in an AWS Region> in the /IAM User Guide/ .
---
--- For information about STS endpoints, see <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints> in the /AWS General Reference/ .
---
--- __Recording API requests__
---
--- STS supports AWS CloudTrail, which is a service that records AWS calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine what requests were successfully made to STS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the <http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide> .
---
-module Network.AWS.STS
-    (
-    -- * Service Configuration
-      sts
-
-    -- * Errors
-    -- $errors
-
-    -- ** MalformedPolicyDocumentException
-    , _MalformedPolicyDocumentException
-
-    -- ** InvalidAuthorizationMessageException
-    , _InvalidAuthorizationMessageException
-
-    -- ** PackedPolicyTooLargeException
-    , _PackedPolicyTooLargeException
-
-    -- ** RegionDisabledException
-    , _RegionDisabledException
-
-    -- ** IdPCommunicationErrorException
-    , _IdPCommunicationErrorException
-
-    -- ** InvalidIdentityTokenException
-    , _InvalidIdentityTokenException
-
-    -- ** ExpiredTokenException
-    , _ExpiredTokenException
-
-    -- ** IdPRejectedClaimException
-    , _IdPRejectedClaimException
-
-    -- * Waiters
-    -- $waiters
-
-    -- * Operations
-    -- $operations
-
-    -- ** GetCallerIdentity
-    , module Network.AWS.STS.GetCallerIdentity
-
-    -- ** AssumeRole
-    , module Network.AWS.STS.AssumeRole
-
-    -- ** DecodeAuthorizationMessage
-    , module Network.AWS.STS.DecodeAuthorizationMessage
-
-    -- ** AssumeRoleWithWebIdentity
-    , module Network.AWS.STS.AssumeRoleWithWebIdentity
-
-    -- ** GetFederationToken
-    , module Network.AWS.STS.GetFederationToken
-
-    -- ** GetSessionToken
-    , module Network.AWS.STS.GetSessionToken
-
-    -- ** AssumeRoleWithSAML
-    , module Network.AWS.STS.AssumeRoleWithSAML
-
-    -- * Types
-
-    -- ** AssumedRoleUser
-    , AssumedRoleUser
-    , assumedRoleUser
-    , aruAssumedRoleId
-    , aruARN
-
-    -- ** Credentials
-    , Credentials
-    , credentials
-    , cAccessKeyId
-    , cSecretAccessKey
-    , cSessionToken
-    , cExpiration
-
-    -- ** FederatedUser
-    , FederatedUser
-    , federatedUser
-    , fuFederatedUserId
-    , fuARN
-    ) where
-
-import           Network.AWS.STS.AssumeRole
-import           Network.AWS.STS.AssumeRoleWithSAML
-import           Network.AWS.STS.AssumeRoleWithWebIdentity
-import           Network.AWS.STS.DecodeAuthorizationMessage
-import           Network.AWS.STS.GetCallerIdentity
-import           Network.AWS.STS.GetFederationToken
-import           Network.AWS.STS.GetSessionToken
-import           Network.AWS.STS.Types
-import           Network.AWS.STS.Waiters
-
-{- $errors
-Error matchers are designed for use with the functions provided by
-<http://hackage.haskell.org/package/lens/docs/Control-Exception-Lens.html Control.Exception.Lens>.
-This allows catching (and rethrowing) service specific errors returned
-by 'STS'.
--}
-
-{- $operations
-Some AWS operations return results that are incomplete and require subsequent
-requests in order to obtain the entire result set. The process of sending
-subsequent requests to continue where a previous request left off is called
-pagination. For example, the 'ListObjects' operation of Amazon S3 returns up to
-1000 objects at a time, and you must send subsequent requests with the
-appropriate Marker in order to retrieve the next page of results.
-
-Operations that have an 'AWSPager' instance can transparently perform subsequent
-requests, correctly setting Markers and other request facets to iterate through
-the entire result set of a truncated API operation. Operations which support
-this have an additional note in the documentation.
-
-Many operations have the ability to filter results on the server side. See the
-individual operation parameters for details.
--}
-
-{- $waiters
-Waiters poll by repeatedly sending a request until some remote success condition
-configured by the 'Wait' specification is fulfilled. The 'Wait' specification
-determines how many attempts should be made, in addition to delay and retry strategies.
--}
diff --git a/gen/Network/AWS/STS/AssumeRole.hs b/gen/Network/AWS/STS/AssumeRole.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/AssumeRole.hs
+++ /dev/null
@@ -1,235 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE OverloadedStrings  #-}
-{-# LANGUAGE RecordWildCards    #-}
-{-# LANGUAGE TypeFamilies       #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
-{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.AssumeRole
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
--- Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) that you can use to access AWS resources that you might not normally have access to. Typically, you use @AssumeRole@ for cross-account access or federation. For a comparison of @AssumeRole@ with the other APIs that produce temporary credentials, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> and <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs> in the /IAM User Guide/ .
---
---
--- __Important:__ You cannot call @AssumeRole@ by using AWS root account credentials; access is denied. You must use credentials for an IAM user or an IAM role to call @AssumeRole@ .
---
--- For cross-account access, imagine that you own multiple accounts and need to access resources in each account. You could create long-term credentials in each account to access those resources. However, managing all those credentials and remembering which one can access which account can be time consuming. Instead, you can create one set of long-term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts. For more information about roles, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html IAM Roles (Delegation and Federation)> in the /IAM User Guide/ .
---
--- For federation, you can, for example, grant single sign-on access to the AWS Management Console. If you already have an identity and authentication system in your corporate network, you don't have to recreate user identities in AWS in order to grant those user identities access to AWS. Instead, after a user has been authenticated, you call @AssumeRole@ (and specify the role with the appropriate permissions) to get temporary security credentials for that user. With those temporary security credentials, you construct a sign-in URL that users can use to access the console. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction Common Scenarios for Temporary Credentials> in the /IAM User Guide/ .
---
--- The temporary security credentials are valid for the duration that you specified when calling @AssumeRole@ , which can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
---
--- The temporary security credentials created by @AssumeRole@ can be used to make API calls to any AWS service with the following exception: you cannot call the STS service's @GetFederationToken@ or @GetSessionToken@ APIs.
---
--- Optionally, you can pass an IAM access policy to this operation. If you choose not to pass a policy, the temporary security credentials that are returned by the operation have the permissions that are defined in the access policy of the role that is being assumed. If you pass a policy to this operation, the temporary security credentials that are returned by the operation have the permissions that are allowed by both the access policy of the role that is being assumed, /__and__ / the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity> in the /IAM User Guide/ .
---
--- To assume a role, your AWS account must be trusted by the role. The trust relationship is defined in the role's trust policy when the role is created. That trust policy states which accounts are allowed to delegate access to this account's role.
---
--- The user who wants to access the role must also have permissions delegated from the role's administrator. If the user is in a different account than the role, then the user's administrator must attach a policy that allows the user to call AssumeRole on the ARN of the role in the other account. If the user is in the same account as the role, then you can either attach a policy to the user (identical to the previous different account user), or you can add the user as a principal directly in the role's trust policy
---
--- __Using MFA with AssumeRole__
---
--- You can optionally include multi-factor authentication (MFA) information when you call @AssumeRole@ . This is useful for cross-account scenarios in which you want to make sure that the user who is assuming the role has been authenticated using an AWS MFA device. In that scenario, the trust policy of the role being assumed includes a condition that tests for MFA authentication; if the caller does not include valid MFA information, the request to assume the role is denied. The condition in a trust policy that tests for MFA authentication might look like the following example.
---
--- @"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}@
---
--- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access> in the /IAM User Guide/ guide.
---
--- To use MFA with @AssumeRole@ , you pass values for the @SerialNumber@ and @TokenCode@ parameters. The @SerialNumber@ value identifies the user's hardware or virtual MFA device. The @TokenCode@ is the time-based one-time password (TOTP) that the MFA devices produces.
---
-module Network.AWS.STS.AssumeRole
-    (
-    -- * Creating a Request
-      assumeRole
-    , AssumeRole
-    -- * Request Lenses
-    , arTokenCode
-    , arDurationSeconds
-    , arPolicy
-    , arExternalId
-    , arSerialNumber
-    , arRoleARN
-    , arRoleSessionName
-
-    -- * Destructuring the Response
-    , assumeRoleResponse
-    , AssumeRoleResponse
-    -- * Response Lenses
-    , arrsPackedPolicySize
-    , arrsCredentials
-    , arrsAssumedRoleUser
-    , arrsResponseStatus
-    ) where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.Request
-import           Network.AWS.Response
-import           Network.AWS.STS.Types
-import           Network.AWS.STS.Types.Product
-
--- | /See:/ 'assumeRole' smart constructor.
-data AssumeRole = AssumeRole'
-    { _arTokenCode       :: !(Maybe Text)
-    , _arDurationSeconds :: !(Maybe Nat)
-    , _arPolicy          :: !(Maybe Text)
-    , _arExternalId      :: !(Maybe Text)
-    , _arSerialNumber    :: !(Maybe Text)
-    , _arRoleARN         :: !Text
-    , _arRoleSessionName :: !Text
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'AssumeRole' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'arTokenCode' - The value provided by the MFA device, if the trust policy of the role being assumed requires MFA (that is, if the policy includes a condition that tests for MFA). If the role being assumed requires MFA and if the @TokenCode@ value is missing or expired, the @AssumeRole@ call returns an "access denied" error. The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
---
--- * 'arDurationSeconds' - The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set to 3600 seconds.
---
--- * 'arPolicy' - An IAM policy in JSON format. This parameter is optional. If you pass a policy, the temporary security credentials that are returned by the operation have the permissions that are allowed by both (the intersection of) the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity> in the /IAM User Guide/ . The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
---
--- * 'arExternalId' - A unique identifier that is used by third parties when assuming roles in their customers' accounts. For each role that the third party can assume, they should instruct their customers to ensure the role's trust policy checks for the external ID that the third party generated. Each time the third party assumes the role, they should pass the customer's external ID. The external ID is useful in order to help third parties bind a role to the customer who created it. For more information about the external ID, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your AWS Resources to a Third Party> in the /IAM User Guide/ . The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:\/-
---
--- * 'arSerialNumber' - The identification number of the MFA device that is associated with the user who is making the @AssumeRole@ call. Specify this value if the trust policy of the role being assumed includes a condition that requires MFA authentication. The value is either the serial number for a hardware device (such as @GAHT12345678@ ) or an Amazon Resource Name (ARN) for a virtual device (such as @arn:aws:iam::123456789012:mfa/user@ ). The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
---
--- * 'arRoleARN' - The Amazon Resource Name (ARN) of the role to assume.
---
--- * 'arRoleSessionName' - An identifier for the assumed role session. Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests using the temporary security credentials will expose the role session name to the external account in their CloudTrail logs. The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
-assumeRole
-    :: Text -- ^ 'arRoleARN'
-    -> Text -- ^ 'arRoleSessionName'
-    -> AssumeRole
-assumeRole pRoleARN_ pRoleSessionName_ =
-    AssumeRole'
-    { _arTokenCode = Nothing
-    , _arDurationSeconds = Nothing
-    , _arPolicy = Nothing
-    , _arExternalId = Nothing
-    , _arSerialNumber = Nothing
-    , _arRoleARN = pRoleARN_
-    , _arRoleSessionName = pRoleSessionName_
-    }
-
--- | The value provided by the MFA device, if the trust policy of the role being assumed requires MFA (that is, if the policy includes a condition that tests for MFA). If the role being assumed requires MFA and if the @TokenCode@ value is missing or expired, the @AssumeRole@ call returns an "access denied" error. The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
-arTokenCode :: Lens' AssumeRole (Maybe Text)
-arTokenCode = lens _arTokenCode (\ s a -> s{_arTokenCode = a});
-
--- | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set to 3600 seconds.
-arDurationSeconds :: Lens' AssumeRole (Maybe Natural)
-arDurationSeconds = lens _arDurationSeconds (\ s a -> s{_arDurationSeconds = a}) . mapping _Nat;
-
--- | An IAM policy in JSON format. This parameter is optional. If you pass a policy, the temporary security credentials that are returned by the operation have the permissions that are allowed by both (the intersection of) the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity> in the /IAM User Guide/ . The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
-arPolicy :: Lens' AssumeRole (Maybe Text)
-arPolicy = lens _arPolicy (\ s a -> s{_arPolicy = a});
-
--- | A unique identifier that is used by third parties when assuming roles in their customers' accounts. For each role that the third party can assume, they should instruct their customers to ensure the role's trust policy checks for the external ID that the third party generated. Each time the third party assumes the role, they should pass the customer's external ID. The external ID is useful in order to help third parties bind a role to the customer who created it. For more information about the external ID, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your AWS Resources to a Third Party> in the /IAM User Guide/ . The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:\/-
-arExternalId :: Lens' AssumeRole (Maybe Text)
-arExternalId = lens _arExternalId (\ s a -> s{_arExternalId = a});
-
--- | The identification number of the MFA device that is associated with the user who is making the @AssumeRole@ call. Specify this value if the trust policy of the role being assumed includes a condition that requires MFA authentication. The value is either the serial number for a hardware device (such as @GAHT12345678@ ) or an Amazon Resource Name (ARN) for a virtual device (such as @arn:aws:iam::123456789012:mfa/user@ ). The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
-arSerialNumber :: Lens' AssumeRole (Maybe Text)
-arSerialNumber = lens _arSerialNumber (\ s a -> s{_arSerialNumber = a});
-
--- | The Amazon Resource Name (ARN) of the role to assume.
-arRoleARN :: Lens' AssumeRole Text
-arRoleARN = lens _arRoleARN (\ s a -> s{_arRoleARN = a});
-
--- | An identifier for the assumed role session. Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests using the temporary security credentials will expose the role session name to the external account in their CloudTrail logs. The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
-arRoleSessionName :: Lens' AssumeRole Text
-arRoleSessionName = lens _arRoleSessionName (\ s a -> s{_arRoleSessionName = a});
-
-instance AWSRequest AssumeRole where
-        type Rs AssumeRole = AssumeRoleResponse
-        request = postQuery sts
-        response
-          = receiveXMLWrapper "AssumeRoleResult"
-              (\ s h x ->
-                 AssumeRoleResponse' <$>
-                   (x .@? "PackedPolicySize") <*> (x .@? "Credentials")
-                     <*> (x .@? "AssumedRoleUser")
-                     <*> (pure (fromEnum s)))
-
-instance Hashable AssumeRole
-
-instance NFData AssumeRole
-
-instance ToHeaders AssumeRole where
-        toHeaders = const mempty
-
-instance ToPath AssumeRole where
-        toPath = const "/"
-
-instance ToQuery AssumeRole where
-        toQuery AssumeRole'{..}
-          = mconcat
-              ["Action" =: ("AssumeRole" :: ByteString),
-               "Version" =: ("2011-06-15" :: ByteString),
-               "TokenCode" =: _arTokenCode,
-               "DurationSeconds" =: _arDurationSeconds,
-               "Policy" =: _arPolicy, "ExternalId" =: _arExternalId,
-               "SerialNumber" =: _arSerialNumber,
-               "RoleArn" =: _arRoleARN,
-               "RoleSessionName" =: _arRoleSessionName]
-
--- | Contains the response to a successful 'AssumeRole' request, including temporary AWS credentials that can be used to make AWS requests.
---
---
---
--- /See:/ 'assumeRoleResponse' smart constructor.
-data AssumeRoleResponse = AssumeRoleResponse'
-    { _arrsPackedPolicySize :: !(Maybe Nat)
-    , _arrsCredentials      :: !(Maybe Credentials)
-    , _arrsAssumedRoleUser  :: !(Maybe AssumedRoleUser)
-    , _arrsResponseStatus   :: !Int
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'AssumeRoleResponse' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'arrsPackedPolicySize' - A percentage value that indicates the size of the policy in packed form. The service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space.
---
--- * 'arrsCredentials' - The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
---
--- * 'arrsAssumedRoleUser' - The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you can use to refer to the resulting temporary security credentials. For example, you can reference these credentials as a principal in a resource-based policy by using the ARN or assumed role ID. The ARN and ID include the @RoleSessionName@ that you specified when you called @AssumeRole@ .
---
--- * 'arrsResponseStatus' - -- | The response status code.
-assumeRoleResponse
-    :: Int -- ^ 'arrsResponseStatus'
-    -> AssumeRoleResponse
-assumeRoleResponse pResponseStatus_ =
-    AssumeRoleResponse'
-    { _arrsPackedPolicySize = Nothing
-    , _arrsCredentials = Nothing
-    , _arrsAssumedRoleUser = Nothing
-    , _arrsResponseStatus = pResponseStatus_
-    }
-
--- | A percentage value that indicates the size of the policy in packed form. The service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space.
-arrsPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
-arrsPackedPolicySize = lens _arrsPackedPolicySize (\ s a -> s{_arrsPackedPolicySize = a}) . mapping _Nat;
-
--- | The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
-arrsCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
-arrsCredentials = lens _arrsCredentials (\ s a -> s{_arrsCredentials = a});
-
--- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you can use to refer to the resulting temporary security credentials. For example, you can reference these credentials as a principal in a resource-based policy by using the ARN or assumed role ID. The ARN and ID include the @RoleSessionName@ that you specified when you called @AssumeRole@ .
-arrsAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
-arrsAssumedRoleUser = lens _arrsAssumedRoleUser (\ s a -> s{_arrsAssumedRoleUser = a});
-
--- | -- | The response status code.
-arrsResponseStatus :: Lens' AssumeRoleResponse Int
-arrsResponseStatus = lens _arrsResponseStatus (\ s a -> s{_arrsResponseStatus = a});
-
-instance NFData AssumeRoleResponse
diff --git a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
+++ /dev/null
@@ -1,268 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE OverloadedStrings  #-}
-{-# LANGUAGE RecordWildCards    #-}
-{-# LANGUAGE TypeFamilies       #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
-{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.AssumeRoleWithSAML
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
--- Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of @AssumeRoleWithSAML@ with the other APIs that produce temporary credentials, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> and <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs> in the /IAM User Guide/ .
---
---
--- The temporary security credentials returned by this operation consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS services.
---
--- The temporary security credentials are valid for the duration that you specified when calling @AssumeRole@ , or until the time specified in the SAML authentication response's @SessionNotOnOrAfter@ value, whichever is shorter. The duration can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
---
--- The temporary security credentials created by @AssumeRoleWithSAML@ can be used to make API calls to any AWS service with the following exception: you cannot call the STS service's @GetFederationToken@ or @GetSessionToken@ APIs.
---
--- Optionally, you can pass an IAM access policy to this operation. If you choose not to pass a policy, the temporary security credentials that are returned by the operation have the permissions that are defined in the access policy of the role that is being assumed. If you pass a policy to this operation, the temporary security credentials that are returned by the operation have the permissions that are allowed by the intersection of both the access policy of the role that is being assumed, /__and__ / the policy that you pass. This means that both policies must grant the permission for the action to be allowed. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity> in the /IAM User Guide/ .
---
--- Before your application can call @AssumeRoleWithSAML@ , you must configure your SAML identity provider (IdP) to issue the claims required by AWS. Additionally, you must use AWS Identity and Access Management (IAM) to create a SAML provider entity in your AWS account that represents your identity provider, and create an IAM role that specifies this SAML provider in its trust policy.
---
--- Calling @AssumeRoleWithSAML@ does not require the use of AWS security credentials. The identity of the caller is validated by using keys in the metadata document that is uploaded for the SAML provider entity for your identity provider.
---
--- /Important:/ Calling @AssumeRoleWithSAML@ can result in an entry in your AWS CloudTrail logs. The entry includes the value in the @NameID@ element of the SAML assertion. We recommend that you use a NameIDType that is not associated with any personally identifiable information (PII). For example, you could instead use the Persistent Identifier (@urn:oasis:names:tc:SAML:2.0:nameid-format:persistent@ ).
---
--- For more information, see the following resources:
---
---     * <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html About SAML 2.0-based Federation> in the /IAM User Guide/ .
---
---     * <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html Creating SAML Identity Providers> in the /IAM User Guide/ .
---
---     * <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html Configuring a Relying Party and Claims> in the /IAM User Guide/ .
---
---     * <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html Creating a Role for SAML 2.0 Federation> in the /IAM User Guide/ .
---
---
---
-module Network.AWS.STS.AssumeRoleWithSAML
-    (
-    -- * Creating a Request
-      assumeRoleWithSAML
-    , AssumeRoleWithSAML
-    -- * Request Lenses
-    , arwsamlDurationSeconds
-    , arwsamlPolicy
-    , arwsamlRoleARN
-    , arwsamlPrincipalARN
-    , arwsamlSAMLAssertion
-
-    -- * Destructuring the Response
-    , assumeRoleWithSAMLResponse
-    , AssumeRoleWithSAMLResponse
-    -- * Response Lenses
-    , arwsamlrsSubject
-    , arwsamlrsAudience
-    , arwsamlrsPackedPolicySize
-    , arwsamlrsCredentials
-    , arwsamlrsSubjectType
-    , arwsamlrsNameQualifier
-    , arwsamlrsAssumedRoleUser
-    , arwsamlrsIssuer
-    , arwsamlrsResponseStatus
-    ) where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.Request
-import           Network.AWS.Response
-import           Network.AWS.STS.Types
-import           Network.AWS.STS.Types.Product
-
--- | /See:/ 'assumeRoleWithSAML' smart constructor.
-data AssumeRoleWithSAML = AssumeRoleWithSAML'
-    { _arwsamlDurationSeconds :: !(Maybe Nat)
-    , _arwsamlPolicy          :: !(Maybe Text)
-    , _arwsamlRoleARN         :: !Text
-    , _arwsamlPrincipalARN    :: !Text
-    , _arwsamlSAMLAssertion   :: !Text
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'AssumeRoleWithSAML' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'arwsamlDurationSeconds' - The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set to 3600 seconds. An expiration can also be specified in the SAML authentication response's @SessionNotOnOrAfter@ value. The actual expiration time is whichever value is shorter.
---
--- * 'arwsamlPolicy' - An IAM policy in JSON format. The policy parameter is optional. If you pass a policy, the temporary security credentials that are returned by the operation have the permissions that are allowed by both the access policy of the role that is being assumed, /__and__ / the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity> in the /IAM User Guide/ .  The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
---
--- * 'arwsamlRoleARN' - The Amazon Resource Name (ARN) of the role that the caller is assuming.
---
--- * 'arwsamlPrincipalARN' - The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
---
--- * 'arwsamlSAMLAssertion' - The base-64 encoded SAML authentication response provided by the IdP. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> in the /Using IAM/ guide.
-assumeRoleWithSAML
-    :: Text -- ^ 'arwsamlRoleARN'
-    -> Text -- ^ 'arwsamlPrincipalARN'
-    -> Text -- ^ 'arwsamlSAMLAssertion'
-    -> AssumeRoleWithSAML
-assumeRoleWithSAML pRoleARN_ pPrincipalARN_ pSAMLAssertion_ =
-    AssumeRoleWithSAML'
-    { _arwsamlDurationSeconds = Nothing
-    , _arwsamlPolicy = Nothing
-    , _arwsamlRoleARN = pRoleARN_
-    , _arwsamlPrincipalARN = pPrincipalARN_
-    , _arwsamlSAMLAssertion = pSAMLAssertion_
-    }
-
--- | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set to 3600 seconds. An expiration can also be specified in the SAML authentication response's @SessionNotOnOrAfter@ value. The actual expiration time is whichever value is shorter.
-arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)
-arwsamlDurationSeconds = lens _arwsamlDurationSeconds (\ s a -> s{_arwsamlDurationSeconds = a}) . mapping _Nat;
-
--- | An IAM policy in JSON format. The policy parameter is optional. If you pass a policy, the temporary security credentials that are returned by the operation have the permissions that are allowed by both the access policy of the role that is being assumed, /__and__ / the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity> in the /IAM User Guide/ .  The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
-arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)
-arwsamlPolicy = lens _arwsamlPolicy (\ s a -> s{_arwsamlPolicy = a});
-
--- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
-arwsamlRoleARN :: Lens' AssumeRoleWithSAML Text
-arwsamlRoleARN = lens _arwsamlRoleARN (\ s a -> s{_arwsamlRoleARN = a});
-
--- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
-arwsamlPrincipalARN :: Lens' AssumeRoleWithSAML Text
-arwsamlPrincipalARN = lens _arwsamlPrincipalARN (\ s a -> s{_arwsamlPrincipalARN = a});
-
--- | The base-64 encoded SAML authentication response provided by the IdP. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> in the /Using IAM/ guide.
-arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text
-arwsamlSAMLAssertion = lens _arwsamlSAMLAssertion (\ s a -> s{_arwsamlSAMLAssertion = a});
-
-instance AWSRequest AssumeRoleWithSAML where
-        type Rs AssumeRoleWithSAML =
-             AssumeRoleWithSAMLResponse
-        request = postQuery sts
-        response
-          = receiveXMLWrapper "AssumeRoleWithSAMLResult"
-              (\ s h x ->
-                 AssumeRoleWithSAMLResponse' <$>
-                   (x .@? "Subject") <*> (x .@? "Audience") <*>
-                     (x .@? "PackedPolicySize")
-                     <*> (x .@? "Credentials")
-                     <*> (x .@? "SubjectType")
-                     <*> (x .@? "NameQualifier")
-                     <*> (x .@? "AssumedRoleUser")
-                     <*> (x .@? "Issuer")
-                     <*> (pure (fromEnum s)))
-
-instance Hashable AssumeRoleWithSAML
-
-instance NFData AssumeRoleWithSAML
-
-instance ToHeaders AssumeRoleWithSAML where
-        toHeaders = const mempty
-
-instance ToPath AssumeRoleWithSAML where
-        toPath = const "/"
-
-instance ToQuery AssumeRoleWithSAML where
-        toQuery AssumeRoleWithSAML'{..}
-          = mconcat
-              ["Action" =: ("AssumeRoleWithSAML" :: ByteString),
-               "Version" =: ("2011-06-15" :: ByteString),
-               "DurationSeconds" =: _arwsamlDurationSeconds,
-               "Policy" =: _arwsamlPolicy,
-               "RoleArn" =: _arwsamlRoleARN,
-               "PrincipalArn" =: _arwsamlPrincipalARN,
-               "SAMLAssertion" =: _arwsamlSAMLAssertion]
-
--- | Contains the response to a successful 'AssumeRoleWithSAML' request, including temporary AWS credentials that can be used to make AWS requests.
---
---
---
--- /See:/ 'assumeRoleWithSAMLResponse' smart constructor.
-data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse'
-    { _arwsamlrsSubject          :: !(Maybe Text)
-    , _arwsamlrsAudience         :: !(Maybe Text)
-    , _arwsamlrsPackedPolicySize :: !(Maybe Nat)
-    , _arwsamlrsCredentials      :: !(Maybe Credentials)
-    , _arwsamlrsSubjectType      :: !(Maybe Text)
-    , _arwsamlrsNameQualifier    :: !(Maybe Text)
-    , _arwsamlrsAssumedRoleUser  :: !(Maybe AssumedRoleUser)
-    , _arwsamlrsIssuer           :: !(Maybe Text)
-    , _arwsamlrsResponseStatus   :: !Int
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'AssumeRoleWithSAMLResponse' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'arwsamlrsSubject' - The value of the @NameID@ element in the @Subject@ element of the SAML assertion.
---
--- * 'arwsamlrsAudience' - The value of the @Recipient@ attribute of the @SubjectConfirmationData@ element of the SAML assertion.
---
--- * 'arwsamlrsPackedPolicySize' - A percentage value that indicates the size of the policy in packed form. The service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space.
---
--- * 'arwsamlrsCredentials' - The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
---
--- * 'arwsamlrsSubjectType' - The format of the name ID, as defined by the @Format@ attribute in the @NameID@ element of the SAML assertion. Typical examples of the format are @transient@ or @persistent@ .  If the format includes the prefix @urn:oasis:names:tc:SAML:2.0:nameid-format@ , that prefix is removed. For example, @urn:oasis:names:tc:SAML:2.0:nameid-format:transient@ is returned as @transient@ . If the format includes any other prefix, the format is returned with no modifications.
---
--- * 'arwsamlrsNameQualifier' - A hash value based on the concatenation of the @Issuer@ response value, the AWS account ID, and the friendly name (the last part of the ARN) of the SAML provider in IAM. The combination of @NameQualifier@ and @Subject@ can be used to uniquely identify a federated user.  The following pseudocode shows how the hash value is calculated: @BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )@
---
--- * 'arwsamlrsAssumedRoleUser' - The identifiers for the temporary security credentials that the operation returns.
---
--- * 'arwsamlrsIssuer' - The value of the @Issuer@ element of the SAML assertion.
---
--- * 'arwsamlrsResponseStatus' - -- | The response status code.
-assumeRoleWithSAMLResponse
-    :: Int -- ^ 'arwsamlrsResponseStatus'
-    -> AssumeRoleWithSAMLResponse
-assumeRoleWithSAMLResponse pResponseStatus_ =
-    AssumeRoleWithSAMLResponse'
-    { _arwsamlrsSubject = Nothing
-    , _arwsamlrsAudience = Nothing
-    , _arwsamlrsPackedPolicySize = Nothing
-    , _arwsamlrsCredentials = Nothing
-    , _arwsamlrsSubjectType = Nothing
-    , _arwsamlrsNameQualifier = Nothing
-    , _arwsamlrsAssumedRoleUser = Nothing
-    , _arwsamlrsIssuer = Nothing
-    , _arwsamlrsResponseStatus = pResponseStatus_
-    }
-
--- | The value of the @NameID@ element in the @Subject@ element of the SAML assertion.
-arwsamlrsSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrsSubject = lens _arwsamlrsSubject (\ s a -> s{_arwsamlrsSubject = a});
-
--- | The value of the @Recipient@ attribute of the @SubjectConfirmationData@ element of the SAML assertion.
-arwsamlrsAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrsAudience = lens _arwsamlrsAudience (\ s a -> s{_arwsamlrsAudience = a});
-
--- | A percentage value that indicates the size of the policy in packed form. The service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space.
-arwsamlrsPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
-arwsamlrsPackedPolicySize = lens _arwsamlrsPackedPolicySize (\ s a -> s{_arwsamlrsPackedPolicySize = a}) . mapping _Nat;
-
--- | The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
-arwsamlrsCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)
-arwsamlrsCredentials = lens _arwsamlrsCredentials (\ s a -> s{_arwsamlrsCredentials = a});
-
--- | The format of the name ID, as defined by the @Format@ attribute in the @NameID@ element of the SAML assertion. Typical examples of the format are @transient@ or @persistent@ .  If the format includes the prefix @urn:oasis:names:tc:SAML:2.0:nameid-format@ , that prefix is removed. For example, @urn:oasis:names:tc:SAML:2.0:nameid-format:transient@ is returned as @transient@ . If the format includes any other prefix, the format is returned with no modifications.
-arwsamlrsSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrsSubjectType = lens _arwsamlrsSubjectType (\ s a -> s{_arwsamlrsSubjectType = a});
-
--- | A hash value based on the concatenation of the @Issuer@ response value, the AWS account ID, and the friendly name (the last part of the ARN) of the SAML provider in IAM. The combination of @NameQualifier@ and @Subject@ can be used to uniquely identify a federated user.  The following pseudocode shows how the hash value is calculated: @BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )@
-arwsamlrsNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrsNameQualifier = lens _arwsamlrsNameQualifier (\ s a -> s{_arwsamlrsNameQualifier = a});
-
--- | The identifiers for the temporary security credentials that the operation returns.
-arwsamlrsAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
-arwsamlrsAssumedRoleUser = lens _arwsamlrsAssumedRoleUser (\ s a -> s{_arwsamlrsAssumedRoleUser = a});
-
--- | The value of the @Issuer@ element of the SAML assertion.
-arwsamlrsIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
-arwsamlrsIssuer = lens _arwsamlrsIssuer (\ s a -> s{_arwsamlrsIssuer = a});
-
--- | -- | The response status code.
-arwsamlrsResponseStatus :: Lens' AssumeRoleWithSAMLResponse Int
-arwsamlrsResponseStatus = lens _arwsamlrsResponseStatus (\ s a -> s{_arwsamlrsResponseStatus = a});
-
-instance NFData AssumeRoleWithSAMLResponse
diff --git a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
+++ /dev/null
@@ -1,259 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE OverloadedStrings  #-}
-{-# LANGUAGE RecordWildCards    #-}
-{-# LANGUAGE TypeFamilies       #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
-{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.AssumeRoleWithWebIdentity
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
--- Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider, such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
---
---
--- Calling @AssumeRoleWithWebIdentity@ does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application, and without deploying server-based proxy services that use long-term AWS credentials. Instead, the identity of the caller is validated by using a token from the web identity provider. For a comparison of @AssumeRoleWithWebIdentity@ with the other APIs that produce temporary credentials, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> and <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs> in the /IAM User Guide/ .
---
--- The temporary security credentials returned by this API consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service APIs.
---
--- The credentials are valid for the duration that you specified when calling @AssumeRoleWithWebIdentity@ , which can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
---
--- The temporary security credentials created by @AssumeRoleWithWebIdentity@ can be used to make API calls to any AWS service with the following exception: you cannot call the STS service's @GetFederationToken@ or @GetSessionToken@ APIs.
---
--- Optionally, you can pass an IAM access policy to this operation. If you choose not to pass a policy, the temporary security credentials that are returned by the operation have the permissions that are defined in the access policy of the role that is being assumed. If you pass a policy to this operation, the temporary security credentials that are returned by the operation have the permissions that are allowed by both the access policy of the role that is being assumed, /__and__ / the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity> in the /IAM User Guide/ .
---
--- Before your application can call @AssumeRoleWithWebIdentity@ , you must have an identity token from a supported identity provider and create a role that the application can assume. The role that your application assumes must trust the identity provider that is associated with the identity token. In other words, the identity provider must be specified in the role's trust policy.
---
--- /Important:/ Calling @AssumeRoleWithWebIdentity@ can result in an entry in your AWS CloudTrail logs. The entry includes the <http://openid.net/specs/openid-connect-core-1_0.html#Claims Subject> of the provided Web Identity Token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as <http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes suggested in the OIDC specification> .
---
--- For more information about how to use web identity federation and the @AssumeRoleWithWebIdentity@ API, see the following resources:
---
---     * <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual Using Web Identity Federation APIs for Mobile Apps> and <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider> .
---
---     * <https://web-identity-federation-playground.s3.amazonaws.com/index.html Web Identity Federation Playground> . This interactive website lets you walk through the process of authenticating via Login with Amazon, Facebook, or Google, getting temporary security credentials, and then using those credentials to make a request to AWS.
---
---     * <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> . These toolkits contain sample apps that show how to invoke the identity providers, and then how to use the information from these providers to get and use temporary security credentials.
---
---     * <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications> . This article discusses web identity federation and shows an example of how to use web identity federation to get access to content in Amazon S3.
---
---
---
-module Network.AWS.STS.AssumeRoleWithWebIdentity
-    (
-    -- * Creating a Request
-      assumeRoleWithWebIdentity
-    , AssumeRoleWithWebIdentity
-    -- * Request Lenses
-    , arwwiProviderId
-    , arwwiDurationSeconds
-    , arwwiPolicy
-    , arwwiRoleARN
-    , arwwiRoleSessionName
-    , arwwiWebIdentityToken
-
-    -- * Destructuring the Response
-    , assumeRoleWithWebIdentityResponse
-    , AssumeRoleWithWebIdentityResponse
-    -- * Response Lenses
-    , arwwirsAudience
-    , arwwirsSubjectFromWebIdentityToken
-    , arwwirsPackedPolicySize
-    , arwwirsCredentials
-    , arwwirsAssumedRoleUser
-    , arwwirsProvider
-    , arwwirsResponseStatus
-    ) where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.Request
-import           Network.AWS.Response
-import           Network.AWS.STS.Types
-import           Network.AWS.STS.Types.Product
-
--- | /See:/ 'assumeRoleWithWebIdentity' smart constructor.
-data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity'
-    { _arwwiProviderId       :: !(Maybe Text)
-    , _arwwiDurationSeconds  :: !(Maybe Nat)
-    , _arwwiPolicy           :: !(Maybe Text)
-    , _arwwiRoleARN          :: !Text
-    , _arwwiRoleSessionName  :: !Text
-    , _arwwiWebIdentityToken :: !Text
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'AssumeRoleWithWebIdentity' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'arwwiProviderId' - The fully qualified host component of the domain name of the identity provider. Specify this value only for OAuth 2.0 access tokens. Currently @www.amazon.com@ and @graph.facebook.com@ are the only supported identity providers for OAuth 2.0 access tokens. Do not include URL schemes and port numbers. Do not specify this value for OpenID Connect ID tokens.
---
--- * 'arwwiDurationSeconds' - The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set to 3600 seconds.
---
--- * 'arwwiPolicy' - An IAM policy in JSON format. The policy parameter is optional. If you pass a policy, the temporary security credentials that are returned by the operation have the permissions that are allowed by both the access policy of the role that is being assumed, /__and__ / the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRoleWithWebIdentity> in the /IAM User Guide/ .  The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
---
--- * 'arwwiRoleARN' - The Amazon Resource Name (ARN) of the role that the caller is assuming.
---
--- * 'arwwiRoleSessionName' - An identifier for the assumed role session. Typically, you pass the name or identifier that is associated with the user who is using your application. That way, the temporary security credentials that your application will use are associated with that user. This session name is included as part of the ARN and assumed role ID in the @AssumedRoleUser@ response element. The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
---
--- * 'arwwiWebIdentityToken' - The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Your application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an @AssumeRoleWithWebIdentity@ call.
-assumeRoleWithWebIdentity
-    :: Text -- ^ 'arwwiRoleARN'
-    -> Text -- ^ 'arwwiRoleSessionName'
-    -> Text -- ^ 'arwwiWebIdentityToken'
-    -> AssumeRoleWithWebIdentity
-assumeRoleWithWebIdentity pRoleARN_ pRoleSessionName_ pWebIdentityToken_ =
-    AssumeRoleWithWebIdentity'
-    { _arwwiProviderId = Nothing
-    , _arwwiDurationSeconds = Nothing
-    , _arwwiPolicy = Nothing
-    , _arwwiRoleARN = pRoleARN_
-    , _arwwiRoleSessionName = pRoleSessionName_
-    , _arwwiWebIdentityToken = pWebIdentityToken_
-    }
-
--- | The fully qualified host component of the domain name of the identity provider. Specify this value only for OAuth 2.0 access tokens. Currently @www.amazon.com@ and @graph.facebook.com@ are the only supported identity providers for OAuth 2.0 access tokens. Do not include URL schemes and port numbers. Do not specify this value for OpenID Connect ID tokens.
-arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
-arwwiProviderId = lens _arwwiProviderId (\ s a -> s{_arwwiProviderId = a});
-
--- | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set to 3600 seconds.
-arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)
-arwwiDurationSeconds = lens _arwwiDurationSeconds (\ s a -> s{_arwwiDurationSeconds = a}) . mapping _Nat;
-
--- | An IAM policy in JSON format. The policy parameter is optional. If you pass a policy, the temporary security credentials that are returned by the operation have the permissions that are allowed by both the access policy of the role that is being assumed, /__and__ / the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html Permissions for AssumeRoleWithWebIdentity> in the /IAM User Guide/ .  The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
-arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
-arwwiPolicy = lens _arwwiPolicy (\ s a -> s{_arwwiPolicy = a});
-
--- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
-arwwiRoleARN :: Lens' AssumeRoleWithWebIdentity Text
-arwwiRoleARN = lens _arwwiRoleARN (\ s a -> s{_arwwiRoleARN = a});
-
--- | An identifier for the assumed role session. Typically, you pass the name or identifier that is associated with the user who is using your application. That way, the temporary security credentials that your application will use are associated with that user. This session name is included as part of the ARN and assumed role ID in the @AssumedRoleUser@ response element. The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
-arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text
-arwwiRoleSessionName = lens _arwwiRoleSessionName (\ s a -> s{_arwwiRoleSessionName = a});
-
--- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Your application must get this token by authenticating the user who is using your application with a web identity provider before the application makes an @AssumeRoleWithWebIdentity@ call.
-arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text
-arwwiWebIdentityToken = lens _arwwiWebIdentityToken (\ s a -> s{_arwwiWebIdentityToken = a});
-
-instance AWSRequest AssumeRoleWithWebIdentity where
-        type Rs AssumeRoleWithWebIdentity =
-             AssumeRoleWithWebIdentityResponse
-        request = postQuery sts
-        response
-          = receiveXMLWrapper "AssumeRoleWithWebIdentityResult"
-              (\ s h x ->
-                 AssumeRoleWithWebIdentityResponse' <$>
-                   (x .@? "Audience") <*>
-                     (x .@? "SubjectFromWebIdentityToken")
-                     <*> (x .@? "PackedPolicySize")
-                     <*> (x .@? "Credentials")
-                     <*> (x .@? "AssumedRoleUser")
-                     <*> (x .@? "Provider")
-                     <*> (pure (fromEnum s)))
-
-instance Hashable AssumeRoleWithWebIdentity
-
-instance NFData AssumeRoleWithWebIdentity
-
-instance ToHeaders AssumeRoleWithWebIdentity where
-        toHeaders = const mempty
-
-instance ToPath AssumeRoleWithWebIdentity where
-        toPath = const "/"
-
-instance ToQuery AssumeRoleWithWebIdentity where
-        toQuery AssumeRoleWithWebIdentity'{..}
-          = mconcat
-              ["Action" =:
-                 ("AssumeRoleWithWebIdentity" :: ByteString),
-               "Version" =: ("2011-06-15" :: ByteString),
-               "ProviderId" =: _arwwiProviderId,
-               "DurationSeconds" =: _arwwiDurationSeconds,
-               "Policy" =: _arwwiPolicy, "RoleArn" =: _arwwiRoleARN,
-               "RoleSessionName" =: _arwwiRoleSessionName,
-               "WebIdentityToken" =: _arwwiWebIdentityToken]
-
--- | Contains the response to a successful 'AssumeRoleWithWebIdentity' request, including temporary AWS credentials that can be used to make AWS requests.
---
---
---
--- /See:/ 'assumeRoleWithWebIdentityResponse' smart constructor.
-data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse'
-    { _arwwirsAudience                    :: !(Maybe Text)
-    , _arwwirsSubjectFromWebIdentityToken :: !(Maybe Text)
-    , _arwwirsPackedPolicySize            :: !(Maybe Nat)
-    , _arwwirsCredentials                 :: !(Maybe Credentials)
-    , _arwwirsAssumedRoleUser             :: !(Maybe AssumedRoleUser)
-    , _arwwirsProvider                    :: !(Maybe Text)
-    , _arwwirsResponseStatus              :: !Int
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'AssumeRoleWithWebIdentityResponse' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'arwwirsAudience' - The intended audience (also known as client ID) of the web identity token. This is traditionally the client identifier issued to the application that requested the web identity token.
---
--- * 'arwwirsSubjectFromWebIdentityToken' - The unique user identifier that is returned by the identity provider. This identifier is associated with the @WebIdentityToken@ that was submitted with the @AssumeRoleWithWebIdentity@ call. The identifier is typically unique to the user and the application that acquired the @WebIdentityToken@ (pairwise identifier). For OpenID Connect ID tokens, this field contains the value returned by the identity provider as the token's @sub@ (Subject) claim.
---
--- * 'arwwirsPackedPolicySize' - A percentage value that indicates the size of the policy in packed form. The service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space.
---
--- * 'arwwirsCredentials' - The temporary security credentials, which include an access key ID, a secret access key, and a security token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
---
--- * 'arwwirsAssumedRoleUser' - The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you can use to refer to the resulting temporary security credentials. For example, you can reference these credentials as a principal in a resource-based policy by using the ARN or assumed role ID. The ARN and ID include the @RoleSessionName@ that you specified when you called @AssumeRole@ .
---
--- * 'arwwirsProvider' - The issuing authority of the web identity token presented. For OpenID Connect ID Tokens this contains the value of the @iss@ field. For OAuth 2.0 access tokens, this contains the value of the @ProviderId@ parameter that was passed in the @AssumeRoleWithWebIdentity@ request.
---
--- * 'arwwirsResponseStatus' - -- | The response status code.
-assumeRoleWithWebIdentityResponse
-    :: Int -- ^ 'arwwirsResponseStatus'
-    -> AssumeRoleWithWebIdentityResponse
-assumeRoleWithWebIdentityResponse pResponseStatus_ =
-    AssumeRoleWithWebIdentityResponse'
-    { _arwwirsAudience = Nothing
-    , _arwwirsSubjectFromWebIdentityToken = Nothing
-    , _arwwirsPackedPolicySize = Nothing
-    , _arwwirsCredentials = Nothing
-    , _arwwirsAssumedRoleUser = Nothing
-    , _arwwirsProvider = Nothing
-    , _arwwirsResponseStatus = pResponseStatus_
-    }
-
--- | The intended audience (also known as client ID) of the web identity token. This is traditionally the client identifier issued to the application that requested the web identity token.
-arwwirsAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
-arwwirsAudience = lens _arwwirsAudience (\ s a -> s{_arwwirsAudience = a});
-
--- | The unique user identifier that is returned by the identity provider. This identifier is associated with the @WebIdentityToken@ that was submitted with the @AssumeRoleWithWebIdentity@ call. The identifier is typically unique to the user and the application that acquired the @WebIdentityToken@ (pairwise identifier). For OpenID Connect ID tokens, this field contains the value returned by the identity provider as the token's @sub@ (Subject) claim.
-arwwirsSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
-arwwirsSubjectFromWebIdentityToken = lens _arwwirsSubjectFromWebIdentityToken (\ s a -> s{_arwwirsSubjectFromWebIdentityToken = a});
-
--- | A percentage value that indicates the size of the policy in packed form. The service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space.
-arwwirsPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
-arwwirsPackedPolicySize = lens _arwwirsPackedPolicySize (\ s a -> s{_arwwirsPackedPolicySize = a}) . mapping _Nat;
-
--- | The temporary security credentials, which include an access key ID, a secret access key, and a security token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
-arwwirsCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
-arwwirsCredentials = lens _arwwirsCredentials (\ s a -> s{_arwwirsCredentials = a});
-
--- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you can use to refer to the resulting temporary security credentials. For example, you can reference these credentials as a principal in a resource-based policy by using the ARN or assumed role ID. The ARN and ID include the @RoleSessionName@ that you specified when you called @AssumeRole@ .
-arwwirsAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
-arwwirsAssumedRoleUser = lens _arwwirsAssumedRoleUser (\ s a -> s{_arwwirsAssumedRoleUser = a});
-
--- | The issuing authority of the web identity token presented. For OpenID Connect ID Tokens this contains the value of the @iss@ field. For OAuth 2.0 access tokens, this contains the value of the @ProviderId@ parameter that was passed in the @AssumeRoleWithWebIdentity@ request.
-arwwirsProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
-arwwirsProvider = lens _arwwirsProvider (\ s a -> s{_arwwirsProvider = a});
-
--- | -- | The response status code.
-arwwirsResponseStatus :: Lens' AssumeRoleWithWebIdentityResponse Int
-arwwirsResponseStatus = lens _arwwirsResponseStatus (\ s a -> s{_arwwirsResponseStatus = a});
-
-instance NFData AssumeRoleWithWebIdentityResponse
diff --git a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
+++ /dev/null
@@ -1,150 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE OverloadedStrings  #-}
-{-# LANGUAGE RecordWildCards    #-}
-{-# LANGUAGE TypeFamilies       #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
-{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.DecodeAuthorizationMessage
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
--- Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
---
---
--- For example, if a user is not authorized to perform an action that he or she has requested, the request returns a @Client.UnauthorizedOperation@ response (an HTTP 403 response). Some AWS actions additionally return an encoded message that can provide details about this authorization failure.
---
--- The message is encoded because the details of the authorization status can constitute privileged information that the user who requested the action should not see. To decode an authorization status message, a user must be granted permissions via an IAM policy to request the @DecodeAuthorizationMessage@ (@sts:DecodeAuthorizationMessage@ ) action.
---
--- The decoded message includes the following type of information:
---
---     * Whether the request was denied due to an explicit deny or due to the absence of an explicit allow. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow Determining Whether a Request is Allowed or Denied> in the /IAM User Guide/ .
---
---     * The principal who made the request.
---
---     * The requested action.
---
---     * The requested resource.
---
---     * The values of condition keys in the context of the user's request.
---
---
---
-module Network.AWS.STS.DecodeAuthorizationMessage
-    (
-    -- * Creating a Request
-      decodeAuthorizationMessage
-    , DecodeAuthorizationMessage
-    -- * Request Lenses
-    , damEncodedMessage
-
-    -- * Destructuring the Response
-    , decodeAuthorizationMessageResponse
-    , DecodeAuthorizationMessageResponse
-    -- * Response Lenses
-    , damrsDecodedMessage
-    , damrsResponseStatus
-    ) where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.Request
-import           Network.AWS.Response
-import           Network.AWS.STS.Types
-import           Network.AWS.STS.Types.Product
-
--- | /See:/ 'decodeAuthorizationMessage' smart constructor.
-newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage'
-    { _damEncodedMessage :: Text
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'DecodeAuthorizationMessage' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'damEncodedMessage' - The encoded message that was returned with the response.
-decodeAuthorizationMessage
-    :: Text -- ^ 'damEncodedMessage'
-    -> DecodeAuthorizationMessage
-decodeAuthorizationMessage pEncodedMessage_ =
-    DecodeAuthorizationMessage'
-    { _damEncodedMessage = pEncodedMessage_
-    }
-
--- | The encoded message that was returned with the response.
-damEncodedMessage :: Lens' DecodeAuthorizationMessage Text
-damEncodedMessage = lens _damEncodedMessage (\ s a -> s{_damEncodedMessage = a});
-
-instance AWSRequest DecodeAuthorizationMessage where
-        type Rs DecodeAuthorizationMessage =
-             DecodeAuthorizationMessageResponse
-        request = postQuery sts
-        response
-          = receiveXMLWrapper
-              "DecodeAuthorizationMessageResult"
-              (\ s h x ->
-                 DecodeAuthorizationMessageResponse' <$>
-                   (x .@? "DecodedMessage") <*> (pure (fromEnum s)))
-
-instance Hashable DecodeAuthorizationMessage
-
-instance NFData DecodeAuthorizationMessage
-
-instance ToHeaders DecodeAuthorizationMessage where
-        toHeaders = const mempty
-
-instance ToPath DecodeAuthorizationMessage where
-        toPath = const "/"
-
-instance ToQuery DecodeAuthorizationMessage where
-        toQuery DecodeAuthorizationMessage'{..}
-          = mconcat
-              ["Action" =:
-                 ("DecodeAuthorizationMessage" :: ByteString),
-               "Version" =: ("2011-06-15" :: ByteString),
-               "EncodedMessage" =: _damEncodedMessage]
-
--- | A document that contains additional information about the authorization status of a request from an encoded message that is returned in response to an AWS request.
---
---
---
--- /See:/ 'decodeAuthorizationMessageResponse' smart constructor.
-data DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse'
-    { _damrsDecodedMessage :: !(Maybe Text)
-    , _damrsResponseStatus :: !Int
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'DecodeAuthorizationMessageResponse' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'damrsDecodedMessage' - An XML document that contains the decoded message.
---
--- * 'damrsResponseStatus' - -- | The response status code.
-decodeAuthorizationMessageResponse
-    :: Int -- ^ 'damrsResponseStatus'
-    -> DecodeAuthorizationMessageResponse
-decodeAuthorizationMessageResponse pResponseStatus_ =
-    DecodeAuthorizationMessageResponse'
-    { _damrsDecodedMessage = Nothing
-    , _damrsResponseStatus = pResponseStatus_
-    }
-
--- | An XML document that contains the decoded message.
-damrsDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
-damrsDecodedMessage = lens _damrsDecodedMessage (\ s a -> s{_damrsDecodedMessage = a});
-
--- | -- | The response status code.
-damrsResponseStatus :: Lens' DecodeAuthorizationMessageResponse Int
-damrsResponseStatus = lens _damrsResponseStatus (\ s a -> s{_damrsResponseStatus = a});
-
-instance NFData DecodeAuthorizationMessageResponse
diff --git a/gen/Network/AWS/STS/GetCallerIdentity.hs b/gen/Network/AWS/STS/GetCallerIdentity.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/GetCallerIdentity.hs
+++ /dev/null
@@ -1,136 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE OverloadedStrings  #-}
-{-# LANGUAGE RecordWildCards    #-}
-{-# LANGUAGE TypeFamilies       #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
-{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.GetCallerIdentity
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
--- Returns details about the IAM identity whose credentials are used to call the API.
---
---
-module Network.AWS.STS.GetCallerIdentity
-    (
-    -- * Creating a Request
-      getCallerIdentity
-    , GetCallerIdentity
-
-    -- * Destructuring the Response
-    , getCallerIdentityResponse
-    , GetCallerIdentityResponse
-    -- * Response Lenses
-    , gcirsARN
-    , gcirsAccount
-    , gcirsUserId
-    , gcirsResponseStatus
-    ) where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.Request
-import           Network.AWS.Response
-import           Network.AWS.STS.Types
-import           Network.AWS.STS.Types.Product
-
--- | /See:/ 'getCallerIdentity' smart constructor.
-data GetCallerIdentity =
-    GetCallerIdentity'
-    deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'GetCallerIdentity' with the minimum fields required to make a request.
---
-getCallerIdentity
-    :: GetCallerIdentity
-getCallerIdentity = GetCallerIdentity'
-
-instance AWSRequest GetCallerIdentity where
-        type Rs GetCallerIdentity = GetCallerIdentityResponse
-        request = postQuery sts
-        response
-          = receiveXMLWrapper "GetCallerIdentityResult"
-              (\ s h x ->
-                 GetCallerIdentityResponse' <$>
-                   (x .@? "Arn") <*> (x .@? "Account") <*>
-                     (x .@? "UserId")
-                     <*> (pure (fromEnum s)))
-
-instance Hashable GetCallerIdentity
-
-instance NFData GetCallerIdentity
-
-instance ToHeaders GetCallerIdentity where
-        toHeaders = const mempty
-
-instance ToPath GetCallerIdentity where
-        toPath = const "/"
-
-instance ToQuery GetCallerIdentity where
-        toQuery
-          = const
-              (mconcat
-                 ["Action" =: ("GetCallerIdentity" :: ByteString),
-                  "Version" =: ("2011-06-15" :: ByteString)])
-
--- | Contains the response to a successful 'GetCallerIdentity' request, including information about the entity making the request.
---
---
---
--- /See:/ 'getCallerIdentityResponse' smart constructor.
-data GetCallerIdentityResponse = GetCallerIdentityResponse'
-    { _gcirsARN            :: !(Maybe Text)
-    , _gcirsAccount        :: !(Maybe Text)
-    , _gcirsUserId         :: !(Maybe Text)
-    , _gcirsResponseStatus :: !Int
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'GetCallerIdentityResponse' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'gcirsARN' - The AWS ARN associated with the calling entity.
---
--- * 'gcirsAccount' - The AWS account ID number of the account that owns or contains the calling entity.
---
--- * 'gcirsUserId' - The unique identifier of the calling entity. The exact value depends on the type of entity making the call. The values returned are those listed in the __aws:userid__ column in the <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable Principal table> found on the __Policy Variables__ reference page in the /IAM User Guide/ .
---
--- * 'gcirsResponseStatus' - -- | The response status code.
-getCallerIdentityResponse
-    :: Int -- ^ 'gcirsResponseStatus'
-    -> GetCallerIdentityResponse
-getCallerIdentityResponse pResponseStatus_ =
-    GetCallerIdentityResponse'
-    { _gcirsARN = Nothing
-    , _gcirsAccount = Nothing
-    , _gcirsUserId = Nothing
-    , _gcirsResponseStatus = pResponseStatus_
-    }
-
--- | The AWS ARN associated with the calling entity.
-gcirsARN :: Lens' GetCallerIdentityResponse (Maybe Text)
-gcirsARN = lens _gcirsARN (\ s a -> s{_gcirsARN = a});
-
--- | The AWS account ID number of the account that owns or contains the calling entity.
-gcirsAccount :: Lens' GetCallerIdentityResponse (Maybe Text)
-gcirsAccount = lens _gcirsAccount (\ s a -> s{_gcirsAccount = a});
-
--- | The unique identifier of the calling entity. The exact value depends on the type of entity making the call. The values returned are those listed in the __aws:userid__ column in the <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable Principal table> found on the __Policy Variables__ reference page in the /IAM User Guide/ .
-gcirsUserId :: Lens' GetCallerIdentityResponse (Maybe Text)
-gcirsUserId = lens _gcirsUserId (\ s a -> s{_gcirsUserId = a});
-
--- | -- | The response status code.
-gcirsResponseStatus :: Lens' GetCallerIdentityResponse Int
-gcirsResponseStatus = lens _gcirsResponseStatus (\ s a -> s{_gcirsResponseStatus = a});
-
-instance NFData GetCallerIdentityResponse
diff --git a/gen/Network/AWS/STS/GetFederationToken.hs b/gen/Network/AWS/STS/GetFederationToken.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/GetFederationToken.hs
+++ /dev/null
@@ -1,199 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE OverloadedStrings  #-}
-{-# LANGUAGE RecordWildCards    #-}
-{-# LANGUAGE TypeFamilies       #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
-{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.GetFederationToken
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
--- Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. Because you must call the @GetFederationToken@ action using the long-term security credentials of an IAM user, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of @GetFederationToken@ with the other APIs that produce temporary credentials, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> and <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs> in the /IAM User Guide/ .
---
---
--- The @GetFederationToken@ action must be called by using the long-term AWS security credentials of an IAM user. You can also call @GetFederationToken@ using the security credentials of an AWS root account, but we do not recommended it. Instead, we recommend that you create an IAM user for the purpose of the proxy application and then attach a policy to the IAM user that limits federated users to only the actions and resources that they need access to. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html IAM Best Practices> in the /IAM User Guide/ .
---
--- The temporary security credentials that are obtained by using the long-term credentials of an IAM user are valid for the specified duration, from 900 seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default is 43200 seconds (12 hours). Temporary credentials that are obtained by using AWS root account credentials have a maximum duration of 3600 seconds (1 hour).
---
--- The temporary security credentials created by @GetFederationToken@ can be used to make API calls to any AWS service with the following exceptions:
---
---     * You cannot use these credentials to call any IAM APIs.
---
---     * You cannot call any STS APIs.
---
---
---
--- __Permissions__
---
--- The permissions for the temporary security credentials returned by @GetFederationToken@ are determined by a combination of the following:
---
---     * The policy or policies that are attached to the IAM user whose credentials are used to call @GetFederationToken@ .
---
---     * The policy that is passed as a parameter in the call.
---
---
---
--- The passed policy is attached to the temporary security credentials that result from the @GetFederationToken@ API call--that is, to the /federated user/ . When the federated user makes an AWS request, AWS evaluates the policy attached to the federated user in combination with the policy or policies attached to the IAM user whose credentials were used to call @GetFederationToken@ . AWS allows the federated user's request only when both the federated user /__and__ / the IAM user are explicitly allowed to perform the requested action. The passed policy cannot grant more permissions than those that are defined in the IAM user policy.
---
--- A typical use case is that the permissions of the IAM user whose credentials are used to call @GetFederationToken@ are designed to allow access to all the actions and resources that any federated user will need. Then, for individual users, you pass a policy to the operation that scopes down the permissions to a level that's appropriate to that individual user, using a policy that allows only a subset of permissions that are granted to the IAM user.
---
--- If you do not pass a policy, the resulting temporary security credentials have no effective permissions. The only exception is when the temporary security credentials are used to access a resource that has a resource-based policy that specifically allows the federated user to access the resource.
---
--- For more information about how permissions work, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html Permissions for GetFederationToken> . For information about using @GetFederationToken@ to create temporary security credentials, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken GetFederationToken—Federation Through a Custom Identity Broker> .
---
-module Network.AWS.STS.GetFederationToken
-    (
-    -- * Creating a Request
-      getFederationToken
-    , GetFederationToken
-    -- * Request Lenses
-    , gftDurationSeconds
-    , gftPolicy
-    , gftName
-
-    -- * Destructuring the Response
-    , getFederationTokenResponse
-    , GetFederationTokenResponse
-    -- * Response Lenses
-    , gftrsPackedPolicySize
-    , gftrsCredentials
-    , gftrsFederatedUser
-    , gftrsResponseStatus
-    ) where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.Request
-import           Network.AWS.Response
-import           Network.AWS.STS.Types
-import           Network.AWS.STS.Types.Product
-
--- | /See:/ 'getFederationToken' smart constructor.
-data GetFederationToken = GetFederationToken'
-    { _gftDurationSeconds :: !(Maybe Nat)
-    , _gftPolicy          :: !(Maybe Text)
-    , _gftName            :: !Text
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'GetFederationToken' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'gftDurationSeconds' - The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained using AWS account (root) credentials are restricted to a maximum of 3600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using AWS account (root) credentials defaults to one hour.
---
--- * 'gftPolicy' - An IAM policy in JSON format that is passed with the @GetFederationToken@ call and evaluated along with the policy or policies that are attached to the IAM user whose credentials are used to call @GetFederationToken@ . The passed policy is used to scope down the permissions that are available to the IAM user, by allowing only a subset of the permissions that are granted to the IAM user. The passed policy cannot grant more permissions than those granted to the IAM user. The final permissions for the federated user are the most restrictive set based on the intersection of the passed policy and the IAM user policy. If you do not pass a policy, the resulting temporary security credentials have no effective permissions. The only exception is when the temporary security credentials are used to access a resource that has a resource-based policy that specifically allows the federated user to access the resource. The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters. For more information about how permissions work, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html Permissions for GetFederationToken> .
---
--- * 'gftName' - The name of the federated user. The name is used as an identifier for the temporary security credentials (such as @Bob@ ). For example, you can reference the federated user name in a resource-based policy, such as in an Amazon S3 bucket policy. The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
-getFederationToken
-    :: Text -- ^ 'gftName'
-    -> GetFederationToken
-getFederationToken pName_ =
-    GetFederationToken'
-    { _gftDurationSeconds = Nothing
-    , _gftPolicy = Nothing
-    , _gftName = pName_
-    }
-
--- | The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained using AWS account (root) credentials are restricted to a maximum of 3600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using AWS account (root) credentials defaults to one hour.
-gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural)
-gftDurationSeconds = lens _gftDurationSeconds (\ s a -> s{_gftDurationSeconds = a}) . mapping _Nat;
-
--- | An IAM policy in JSON format that is passed with the @GetFederationToken@ call and evaluated along with the policy or policies that are attached to the IAM user whose credentials are used to call @GetFederationToken@ . The passed policy is used to scope down the permissions that are available to the IAM user, by allowing only a subset of the permissions that are granted to the IAM user. The passed policy cannot grant more permissions than those granted to the IAM user. The final permissions for the federated user are the most restrictive set based on the intersection of the passed policy and the IAM user policy. If you do not pass a policy, the resulting temporary security credentials have no effective permissions. The only exception is when the temporary security credentials are used to access a resource that has a resource-based policy that specifically allows the federated user to access the resource. The format for this parameter, as described by its regex pattern, is a string of characters up to 2048 characters in length. The characters can be any ASCII character from the space character to the end of the valid character list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters. For more information about how permissions work, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html Permissions for GetFederationToken> .
-gftPolicy :: Lens' GetFederationToken (Maybe Text)
-gftPolicy = lens _gftPolicy (\ s a -> s{_gftPolicy = a});
-
--- | The name of the federated user. The name is used as an identifier for the temporary security credentials (such as @Bob@ ). For example, you can reference the federated user name in a resource-based policy, such as in an Amazon S3 bucket policy. The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
-gftName :: Lens' GetFederationToken Text
-gftName = lens _gftName (\ s a -> s{_gftName = a});
-
-instance AWSRequest GetFederationToken where
-        type Rs GetFederationToken =
-             GetFederationTokenResponse
-        request = postQuery sts
-        response
-          = receiveXMLWrapper "GetFederationTokenResult"
-              (\ s h x ->
-                 GetFederationTokenResponse' <$>
-                   (x .@? "PackedPolicySize") <*> (x .@? "Credentials")
-                     <*> (x .@? "FederatedUser")
-                     <*> (pure (fromEnum s)))
-
-instance Hashable GetFederationToken
-
-instance NFData GetFederationToken
-
-instance ToHeaders GetFederationToken where
-        toHeaders = const mempty
-
-instance ToPath GetFederationToken where
-        toPath = const "/"
-
-instance ToQuery GetFederationToken where
-        toQuery GetFederationToken'{..}
-          = mconcat
-              ["Action" =: ("GetFederationToken" :: ByteString),
-               "Version" =: ("2011-06-15" :: ByteString),
-               "DurationSeconds" =: _gftDurationSeconds,
-               "Policy" =: _gftPolicy, "Name" =: _gftName]
-
--- | Contains the response to a successful 'GetFederationToken' request, including temporary AWS credentials that can be used to make AWS requests.
---
---
---
--- /See:/ 'getFederationTokenResponse' smart constructor.
-data GetFederationTokenResponse = GetFederationTokenResponse'
-    { _gftrsPackedPolicySize :: !(Maybe Nat)
-    , _gftrsCredentials      :: !(Maybe Credentials)
-    , _gftrsFederatedUser    :: !(Maybe FederatedUser)
-    , _gftrsResponseStatus   :: !Int
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'GetFederationTokenResponse' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'gftrsPackedPolicySize' - A percentage value indicating the size of the policy in packed form. The service rejects policies for which the packed size is greater than 100 percent of the allowed value.
---
--- * 'gftrsCredentials' - The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
---
--- * 'gftrsFederatedUser' - Identifiers for the federated user associated with the credentials (such as @arn:aws:sts::123456789012:federated-user/Bob@ or @123456789012:Bob@ ). You can use the federated user's ARN in your resource-based policies, such as an Amazon S3 bucket policy.
---
--- * 'gftrsResponseStatus' - -- | The response status code.
-getFederationTokenResponse
-    :: Int -- ^ 'gftrsResponseStatus'
-    -> GetFederationTokenResponse
-getFederationTokenResponse pResponseStatus_ =
-    GetFederationTokenResponse'
-    { _gftrsPackedPolicySize = Nothing
-    , _gftrsCredentials = Nothing
-    , _gftrsFederatedUser = Nothing
-    , _gftrsResponseStatus = pResponseStatus_
-    }
-
--- | A percentage value indicating the size of the policy in packed form. The service rejects policies for which the packed size is greater than 100 percent of the allowed value.
-gftrsPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)
-gftrsPackedPolicySize = lens _gftrsPackedPolicySize (\ s a -> s{_gftrsPackedPolicySize = a}) . mapping _Nat;
-
--- | The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
-gftrsCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
-gftrsCredentials = lens _gftrsCredentials (\ s a -> s{_gftrsCredentials = a});
-
--- | Identifiers for the federated user associated with the credentials (such as @arn:aws:sts::123456789012:federated-user/Bob@ or @123456789012:Bob@ ). You can use the federated user's ARN in your resource-based policies, such as an Amazon S3 bucket policy.
-gftrsFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
-gftrsFederatedUser = lens _gftrsFederatedUser (\ s a -> s{_gftrsFederatedUser = a});
-
--- | -- | The response status code.
-gftrsResponseStatus :: Lens' GetFederationTokenResponse Int
-gftrsResponseStatus = lens _gftrsResponseStatus (\ s a -> s{_gftrsResponseStatus = a});
-
-instance NFData GetFederationTokenResponse
diff --git a/gen/Network/AWS/STS/GetSessionToken.hs b/gen/Network/AWS/STS/GetSessionToken.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/GetSessionToken.hs
+++ /dev/null
@@ -1,162 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE OverloadedStrings  #-}
-{-# LANGUAGE RecordWildCards    #-}
-{-# LANGUAGE TypeFamilies       #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
-{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.GetSessionToken
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
--- Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use @GetSessionToken@ if you want to use MFA to protect programmatic calls to specific AWS APIs like Amazon EC2 @StopInstances@ . MFA-enabled IAM users would need to call @GetSessionToken@ and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to APIs that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison of @GetSessionToken@ with the other APIs that produce temporary credentials, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> and <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the AWS STS APIs> in the /IAM User Guide/ .
---
---
--- The @GetSessionToken@ action must be called by using the long-term AWS security credentials of the AWS account or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours); credentials that are created by using account credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1 hour.
---
--- The temporary security credentials created by @GetSessionToken@ can be used to make API calls to any AWS service with the following exceptions:
---
---     * You cannot call any IAM APIs unless MFA authentication information is included in the request.
---
---     * You cannot call any STS API /except/ @AssumeRole@ .
---
---
---
--- The permissions associated with the temporary security credentials returned by @GetSessionToken@ are based on the permissions associated with account or IAM user whose credentials are used to call the action. If @GetSessionToken@ is called using root account credentials, the temporary credentials have root account permissions. Similarly, if @GetSessionToken@ is called using the credentials of an IAM user, the temporary credentials have the same permissions as the IAM user.
---
--- For more information about using @GetSessionToken@ to create temporary credentials, go to <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken Temporary Credentials for Users in Untrusted Environments> in the /IAM User Guide/ .
---
-module Network.AWS.STS.GetSessionToken
-    (
-    -- * Creating a Request
-      getSessionToken
-    , GetSessionToken
-    -- * Request Lenses
-    , gstTokenCode
-    , gstDurationSeconds
-    , gstSerialNumber
-
-    -- * Destructuring the Response
-    , getSessionTokenResponse
-    , GetSessionTokenResponse
-    -- * Response Lenses
-    , gstrsCredentials
-    , gstrsResponseStatus
-    ) where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.Request
-import           Network.AWS.Response
-import           Network.AWS.STS.Types
-import           Network.AWS.STS.Types.Product
-
--- | /See:/ 'getSessionToken' smart constructor.
-data GetSessionToken = GetSessionToken'
-    { _gstTokenCode       :: !(Maybe Text)
-    , _gstDurationSeconds :: !(Maybe Nat)
-    , _gstSerialNumber    :: !(Maybe Text)
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'GetSessionToken' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'gstTokenCode' - The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, and the user does not provide a code when requesting a set of temporary security credentials, the user will receive an "access denied" response when requesting resources that require MFA authentication. The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
---
--- * 'gstDurationSeconds' - The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
---
--- * 'gstSerialNumber' - The identification number of the MFA device that is associated with the IAM user who is making the @GetSessionToken@ call. Specify this value if the IAM user has a policy that requires MFA authentication. The value is either the serial number for a hardware device (such as @GAHT12345678@ ) or an Amazon Resource Name (ARN) for a virtual device (such as @arn:aws:iam::123456789012:mfa/user@ ). You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials.  The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
-getSessionToken
-    :: GetSessionToken
-getSessionToken =
-    GetSessionToken'
-    { _gstTokenCode = Nothing
-    , _gstDurationSeconds = Nothing
-    , _gstSerialNumber = Nothing
-    }
-
--- | The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, and the user does not provide a code when requesting a set of temporary security credentials, the user will receive an "access denied" response when requesting resources that require MFA authentication. The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
-gstTokenCode :: Lens' GetSessionToken (Maybe Text)
-gstTokenCode = lens _gstTokenCode (\ s a -> s{_gstTokenCode = a});
-
--- | The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
-gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)
-gstDurationSeconds = lens _gstDurationSeconds (\ s a -> s{_gstDurationSeconds = a}) . mapping _Nat;
-
--- | The identification number of the MFA device that is associated with the IAM user who is making the @GetSessionToken@ call. Specify this value if the IAM user has a policy that requires MFA authentication. The value is either the serial number for a hardware device (such as @GAHT12345678@ ) or an Amazon Resource Name (ARN) for a virtual device (such as @arn:aws:iam::123456789012:mfa/user@ ). You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials.  The format for this parameter, as described by its regex pattern, is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
-gstSerialNumber :: Lens' GetSessionToken (Maybe Text)
-gstSerialNumber = lens _gstSerialNumber (\ s a -> s{_gstSerialNumber = a});
-
-instance AWSRequest GetSessionToken where
-        type Rs GetSessionToken = GetSessionTokenResponse
-        request = postQuery sts
-        response
-          = receiveXMLWrapper "GetSessionTokenResult"
-              (\ s h x ->
-                 GetSessionTokenResponse' <$>
-                   (x .@? "Credentials") <*> (pure (fromEnum s)))
-
-instance Hashable GetSessionToken
-
-instance NFData GetSessionToken
-
-instance ToHeaders GetSessionToken where
-        toHeaders = const mempty
-
-instance ToPath GetSessionToken where
-        toPath = const "/"
-
-instance ToQuery GetSessionToken where
-        toQuery GetSessionToken'{..}
-          = mconcat
-              ["Action" =: ("GetSessionToken" :: ByteString),
-               "Version" =: ("2011-06-15" :: ByteString),
-               "TokenCode" =: _gstTokenCode,
-               "DurationSeconds" =: _gstDurationSeconds,
-               "SerialNumber" =: _gstSerialNumber]
-
--- | Contains the response to a successful 'GetSessionToken' request, including temporary AWS credentials that can be used to make AWS requests.
---
---
---
--- /See:/ 'getSessionTokenResponse' smart constructor.
-data GetSessionTokenResponse = GetSessionTokenResponse'
-    { _gstrsCredentials    :: !(Maybe Credentials)
-    , _gstrsResponseStatus :: !Int
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'GetSessionTokenResponse' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'gstrsCredentials' - The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
---
--- * 'gstrsResponseStatus' - -- | The response status code.
-getSessionTokenResponse
-    :: Int -- ^ 'gstrsResponseStatus'
-    -> GetSessionTokenResponse
-getSessionTokenResponse pResponseStatus_ =
-    GetSessionTokenResponse'
-    { _gstrsCredentials = Nothing
-    , _gstrsResponseStatus = pResponseStatus_
-    }
-
--- | The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. __Note:__ The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
-gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
-gstrsCredentials = lens _gstrsCredentials (\ s a -> s{_gstrsCredentials = a});
-
--- | -- | The response status code.
-gstrsResponseStatus :: Lens' GetSessionTokenResponse Int
-gstrsResponseStatus = lens _gstrsResponseStatus (\ s a -> s{_gstrsResponseStatus = a});
-
-instance NFData GetSessionTokenResponse
diff --git a/gen/Network/AWS/STS/Types.hs b/gen/Network/AWS/STS/Types.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/Types.hs
+++ /dev/null
@@ -1,146 +0,0 @@
-{-# LANGUAGE OverloadedStrings #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.Types
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
-module Network.AWS.STS.Types
-    (
-    -- * Service Configuration
-      sts
-
-    -- * Errors
-    , _MalformedPolicyDocumentException
-    , _InvalidAuthorizationMessageException
-    , _PackedPolicyTooLargeException
-    , _RegionDisabledException
-    , _IdPCommunicationErrorException
-    , _InvalidIdentityTokenException
-    , _ExpiredTokenException
-    , _IdPRejectedClaimException
-
-    -- * AssumedRoleUser
-    , AssumedRoleUser
-    , assumedRoleUser
-    , aruAssumedRoleId
-    , aruARN
-
-    -- * Credentials
-    , Credentials
-    , credentials
-    , cAccessKeyId
-    , cSecretAccessKey
-    , cSessionToken
-    , cExpiration
-
-    -- * FederatedUser
-    , FederatedUser
-    , federatedUser
-    , fuFederatedUserId
-    , fuARN
-    ) where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.Sign.V4
-import           Network.AWS.STS.Types.Product
-import           Network.AWS.STS.Types.Sum
-
--- | API version @2011-06-15@ of the Amazon Security Token Service SDK configuration.
-sts :: Service
-sts =
-    Service
-    { _svcAbbrev = "STS"
-    , _svcSigner = v4
-    , _svcPrefix = "sts"
-    , _svcVersion = "2011-06-15"
-    , _svcEndpoint = defaultEndpoint sts
-    , _svcTimeout = Just 70
-    , _svcCheck = statusSuccess
-    , _svcError = parseXMLError "STS"
-    , _svcRetry = retry
-    }
-  where
-    retry =
-        Exponential
-        { _retryBase = 5.0e-2
-        , _retryGrowth = 2
-        , _retryAttempts = 5
-        , _retryCheck = check
-        }
-    check e
-      | has (hasStatus 429) e = Just "too_many_requests"
-      | has (hasCode "ThrottlingException" . hasStatus 400) e =
-          Just "throttling_exception"
-      | has (hasCode "Throttling" . hasStatus 400) e = Just "throttling"
-      | has (hasStatus 504) e = Just "gateway_timeout"
-      | has (hasStatus 502) e = Just "bad_gateway"
-      | has (hasStatus 503) e = Just "service_unavailable"
-      | has (hasStatus 500) e = Just "general_server_error"
-      | has (hasStatus 509) e = Just "limit_exceeded"
-      | otherwise = Nothing
-
--- | The request was rejected because the policy document was malformed. The error message describes the specific error.
---
---
-_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
-_MalformedPolicyDocumentException =
-    _ServiceError . hasStatus 400 . hasCode "MalformedPolicyDocument"
-
--- | The error returned if the message passed to @DecodeAuthorizationMessage@ was invalid. This can happen if the token contains invalid characters, such as linebreaks.
---
---
-_InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError
-_InvalidAuthorizationMessageException =
-    _ServiceError .
-    hasStatus 400 . hasCode "InvalidAuthorizationMessageException"
-
--- | The request was rejected because the policy document was too large. The error message describes how big the policy document is, in packed form, as a percentage of what the API allows.
---
---
-_PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError
-_PackedPolicyTooLargeException =
-    _ServiceError . hasStatus 400 . hasCode "PackedPolicyTooLarge"
-
--- | STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html Activating and Deactivating AWS STS in an AWS Region> in the /IAM User Guide/ .
---
---
-_RegionDisabledException :: AsError a => Getting (First ServiceError) a ServiceError
-_RegionDisabledException =
-    _ServiceError . hasStatus 403 . hasCode "RegionDisabledException"
-
--- | The request could not be fulfilled because the non-AWS identity provider (IDP) that was asked to verify the incoming identity token could not be reached. This is often a transient error caused by network conditions. Retry the request a limited number of times so that you don't exceed the request rate. If the error persists, the non-AWS identity provider might be down or not responding.
---
---
-_IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError
-_IdPCommunicationErrorException =
-    _ServiceError . hasStatus 400 . hasCode "IDPCommunicationError"
-
--- | The web identity token that was passed could not be validated by AWS. Get a new identity token from the identity provider and then retry the request.
---
---
-_InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError
-_InvalidIdentityTokenException =
-    _ServiceError . hasStatus 400 . hasCode "InvalidIdentityToken"
-
--- | The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.
---
---
-_ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError
-_ExpiredTokenException =
-    _ServiceError . hasStatus 400 . hasCode "ExpiredTokenException"
-
--- | The identity provider (IdP) reported that authentication failed. This might be because the claim is invalid.
---
---
--- If this error is returned for the @AssumeRoleWithWebIdentity@ operation, it can also mean that the claim has expired or has been explicitly revoked.
---
-_IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError
-_IdPRejectedClaimException =
-    _ServiceError . hasStatus 403 . hasCode "IDPRejectedClaim"
diff --git a/gen/Network/AWS/STS/Types/Product.hs b/gen/Network/AWS/STS/Types/Product.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/Types/Product.hs
+++ /dev/null
@@ -1,174 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE OverloadedStrings  #-}
-{-# LANGUAGE RecordWildCards    #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.Types.Product
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
-module Network.AWS.STS.Types.Product where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.STS.Types.Sum
-
--- | The identifiers for the temporary security credentials that the operation returns.
---
---
---
--- /See:/ 'assumedRoleUser' smart constructor.
-data AssumedRoleUser = AssumedRoleUser'
-    { _aruAssumedRoleId :: !Text
-    , _aruARN           :: !Text
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'AssumedRoleUser' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'aruAssumedRoleId' - A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created.
---
--- * 'aruARN' - The ARN of the temporary security credentials that are returned from the 'AssumeRole' action. For more information about ARNs and how to use them in policies, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers> in /Using IAM/ .
-assumedRoleUser
-    :: Text -- ^ 'aruAssumedRoleId'
-    -> Text -- ^ 'aruARN'
-    -> AssumedRoleUser
-assumedRoleUser pAssumedRoleId_ pARN_ =
-    AssumedRoleUser'
-    { _aruAssumedRoleId = pAssumedRoleId_
-    , _aruARN = pARN_
-    }
-
--- | A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created.
-aruAssumedRoleId :: Lens' AssumedRoleUser Text
-aruAssumedRoleId = lens _aruAssumedRoleId (\ s a -> s{_aruAssumedRoleId = a});
-
--- | The ARN of the temporary security credentials that are returned from the 'AssumeRole' action. For more information about ARNs and how to use them in policies, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers> in /Using IAM/ .
-aruARN :: Lens' AssumedRoleUser Text
-aruARN = lens _aruARN (\ s a -> s{_aruARN = a});
-
-instance FromXML AssumedRoleUser where
-        parseXML x
-          = AssumedRoleUser' <$>
-              (x .@ "AssumedRoleId") <*> (x .@ "Arn")
-
-instance Hashable AssumedRoleUser
-
-instance NFData AssumedRoleUser
-
--- | AWS credentials for API authentication.
---
---
---
--- /See:/ 'credentials' smart constructor.
-data Credentials = Credentials'
-    { _cAccessKeyId     :: !Text
-    , _cSecretAccessKey :: !Text
-    , _cSessionToken    :: !Text
-    , _cExpiration      :: !ISO8601
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'Credentials' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'cAccessKeyId' - The access key ID that identifies the temporary security credentials.
---
--- * 'cSecretAccessKey' - The secret access key that can be used to sign requests.
---
--- * 'cSessionToken' - The token that users must pass to the service API to use the temporary credentials.
---
--- * 'cExpiration' - The date on which the current credentials expire.
-credentials
-    :: Text -- ^ 'cAccessKeyId'
-    -> Text -- ^ 'cSecretAccessKey'
-    -> Text -- ^ 'cSessionToken'
-    -> UTCTime -- ^ 'cExpiration'
-    -> Credentials
-credentials pAccessKeyId_ pSecretAccessKey_ pSessionToken_ pExpiration_ =
-    Credentials'
-    { _cAccessKeyId = pAccessKeyId_
-    , _cSecretAccessKey = pSecretAccessKey_
-    , _cSessionToken = pSessionToken_
-    , _cExpiration = _Time # pExpiration_
-    }
-
--- | The access key ID that identifies the temporary security credentials.
-cAccessKeyId :: Lens' Credentials Text
-cAccessKeyId = lens _cAccessKeyId (\ s a -> s{_cAccessKeyId = a});
-
--- | The secret access key that can be used to sign requests.
-cSecretAccessKey :: Lens' Credentials Text
-cSecretAccessKey = lens _cSecretAccessKey (\ s a -> s{_cSecretAccessKey = a});
-
--- | The token that users must pass to the service API to use the temporary credentials.
-cSessionToken :: Lens' Credentials Text
-cSessionToken = lens _cSessionToken (\ s a -> s{_cSessionToken = a});
-
--- | The date on which the current credentials expire.
-cExpiration :: Lens' Credentials UTCTime
-cExpiration = lens _cExpiration (\ s a -> s{_cExpiration = a}) . _Time;
-
-instance FromXML Credentials where
-        parseXML x
-          = Credentials' <$>
-              (x .@ "AccessKeyId") <*> (x .@ "SecretAccessKey") <*>
-                (x .@ "SessionToken")
-                <*> (x .@ "Expiration")
-
-instance Hashable Credentials
-
-instance NFData Credentials
-
--- | Identifiers for the federated user that is associated with the credentials.
---
---
---
--- /See:/ 'federatedUser' smart constructor.
-data FederatedUser = FederatedUser'
-    { _fuFederatedUserId :: !Text
-    , _fuARN             :: !Text
-    } deriving (Eq,Read,Show,Data,Typeable,Generic)
-
--- | Creates a value of 'FederatedUser' with the minimum fields required to make a request.
---
--- Use one of the following lenses to modify other fields as desired:
---
--- * 'fuFederatedUserId' - The string that identifies the federated user associated with the credentials, similar to the unique ID of an IAM user.
---
--- * 'fuARN' - The ARN that specifies the federated user that is associated with the credentials. For more information about ARNs and how to use them in policies, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers> in /Using IAM/ .
-federatedUser
-    :: Text -- ^ 'fuFederatedUserId'
-    -> Text -- ^ 'fuARN'
-    -> FederatedUser
-federatedUser pFederatedUserId_ pARN_ =
-    FederatedUser'
-    { _fuFederatedUserId = pFederatedUserId_
-    , _fuARN = pARN_
-    }
-
--- | The string that identifies the federated user associated with the credentials, similar to the unique ID of an IAM user.
-fuFederatedUserId :: Lens' FederatedUser Text
-fuFederatedUserId = lens _fuFederatedUserId (\ s a -> s{_fuFederatedUserId = a});
-
--- | The ARN that specifies the federated user that is associated with the credentials. For more information about ARNs and how to use them in policies, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers> in /Using IAM/ .
-fuARN :: Lens' FederatedUser Text
-fuARN = lens _fuARN (\ s a -> s{_fuARN = a});
-
-instance FromXML FederatedUser where
-        parseXML x
-          = FederatedUser' <$>
-              (x .@ "FederatedUserId") <*> (x .@ "Arn")
-
-instance Hashable FederatedUser
-
-instance NFData FederatedUser
diff --git a/gen/Network/AWS/STS/Types/Sum.hs b/gen/Network/AWS/STS/Types/Sum.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/Types/Sum.hs
+++ /dev/null
@@ -1,20 +0,0 @@
-{-# LANGUAGE DeriveDataTypeable #-}
-{-# LANGUAGE DeriveGeneric      #-}
-{-# LANGUAGE LambdaCase         #-}
-{-# LANGUAGE OverloadedStrings  #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.Types.Sum
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
-module Network.AWS.STS.Types.Sum where
-
-import           Network.AWS.Prelude
diff --git a/gen/Network/AWS/STS/Waiters.hs b/gen/Network/AWS/STS/Waiters.hs
deleted file mode 100644
--- a/gen/Network/AWS/STS/Waiters.hs
+++ /dev/null
@@ -1,21 +0,0 @@
-{-# LANGUAGE OverloadedStrings #-}
-{-# LANGUAGE TypeFamilies      #-}
-
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Network.AWS.STS.Waiters
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
-module Network.AWS.STS.Waiters where
-
-import           Network.AWS.Lens
-import           Network.AWS.Prelude
-import           Network.AWS.STS.Types
-import           Network.AWS.Waiter
diff --git a/test/Main.hs b/test/Main.hs
--- a/test/Main.hs
+++ b/test/Main.hs
@@ -2,20 +2,22 @@
 
 -- |
 -- Module      : Main
--- Copyright   : (c) 2013-2016 Brendan Hay
+-- Copyright   : (c) 2013-2023 Brendan Hay
 -- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Maintainer  : Brendan Hay
 -- Stability   : auto-generated
 -- Portability : non-portable (GHC extensions)
---
 module Main (main) where
 
+import Test.Amazonka.STS
+import Test.Amazonka.STS.Internal
 import Test.Tasty
-import Test.AWS.STS
-import Test.AWS.STS.Internal
 
 main :: IO ()
-main = defaultMain $ testGroup "STS"
-    [ testGroup "tests"    tests
-    , testGroup "fixtures" fixtures
-    ]
+main =
+  defaultMain $
+    testGroup
+      "STS"
+      [ testGroup "tests" tests,
+        testGroup "fixtures" fixtures
+      ]
diff --git a/test/Test/AWS/Gen/STS.hs b/test/Test/AWS/Gen/STS.hs
deleted file mode 100644
--- a/test/Test/AWS/Gen/STS.hs
+++ /dev/null
@@ -1,165 +0,0 @@
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-{-# OPTIONS_GHC -fno-warn-orphans        #-}
-
--- Derived from AWS service descriptions, licensed under Apache 2.0.
-
--- |
--- Module      : Test.AWS.Gen.STS
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : Mozilla Public License, v. 2.0.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : auto-generated
--- Portability : non-portable (GHC extensions)
---
-module Test.AWS.Gen.STS where
-
-import Data.Proxy
-import Test.AWS.Fixture
-import Test.AWS.Prelude
-import Test.Tasty
-import Network.AWS.STS
-import Test.AWS.STS.Internal
-
--- Auto-generated: the actual test selection needs to be manually placed into
--- the top-level so that real test data can be incrementally added.
---
--- This commented snippet is what the entire set should look like:
-
--- fixtures :: TestTree
--- fixtures =
---     [ testGroup "request"
---         [ requestGetCallerIdentity $
---             getCallerIdentity
---
---         , requestAssumeRole $
---             assumeRole
---
---         , requestDecodeAuthorizationMessage $
---             decodeAuthorizationMessage
---
---         , requestAssumeRoleWithWebIdentity $
---             assumeRoleWithWebIdentity
---
---         , requestGetFederationToken $
---             getFederationToken
---
---         , requestGetSessionToken $
---             getSessionToken
---
---         , requestAssumeRoleWithSAML $
---             assumeRoleWithSAML
---
---           ]
-
---     , testGroup "response"
---         [ responseGetCallerIdentity $
---             getCallerIdentityResponse
---
---         , responseAssumeRole $
---             assumeRoleResponse
---
---         , responseDecodeAuthorizationMessage $
---             decodeAuthorizationMessageResponse
---
---         , responseAssumeRoleWithWebIdentity $
---             assumeRoleWithWebIdentityResponse
---
---         , responseGetFederationToken $
---             getFederationTokenResponse
---
---         , responseGetSessionToken $
---             getSessionTokenResponse
---
---         , responseAssumeRoleWithSAML $
---             assumeRoleWithSAMLResponse
---
---           ]
---     ]
-
--- Requests
-
-requestGetCallerIdentity :: GetCallerIdentity -> TestTree
-requestGetCallerIdentity = req
-    "GetCallerIdentity"
-    "fixture/GetCallerIdentity.yaml"
-
-requestAssumeRole :: AssumeRole -> TestTree
-requestAssumeRole = req
-    "AssumeRole"
-    "fixture/AssumeRole.yaml"
-
-requestDecodeAuthorizationMessage :: DecodeAuthorizationMessage -> TestTree
-requestDecodeAuthorizationMessage = req
-    "DecodeAuthorizationMessage"
-    "fixture/DecodeAuthorizationMessage.yaml"
-
-requestAssumeRoleWithWebIdentity :: AssumeRoleWithWebIdentity -> TestTree
-requestAssumeRoleWithWebIdentity = req
-    "AssumeRoleWithWebIdentity"
-    "fixture/AssumeRoleWithWebIdentity.yaml"
-
-requestGetFederationToken :: GetFederationToken -> TestTree
-requestGetFederationToken = req
-    "GetFederationToken"
-    "fixture/GetFederationToken.yaml"
-
-requestGetSessionToken :: GetSessionToken -> TestTree
-requestGetSessionToken = req
-    "GetSessionToken"
-    "fixture/GetSessionToken.yaml"
-
-requestAssumeRoleWithSAML :: AssumeRoleWithSAML -> TestTree
-requestAssumeRoleWithSAML = req
-    "AssumeRoleWithSAML"
-    "fixture/AssumeRoleWithSAML.yaml"
-
--- Responses
-
-responseGetCallerIdentity :: GetCallerIdentityResponse -> TestTree
-responseGetCallerIdentity = res
-    "GetCallerIdentityResponse"
-    "fixture/GetCallerIdentityResponse.proto"
-    sts
-    (Proxy :: Proxy GetCallerIdentity)
-
-responseAssumeRole :: AssumeRoleResponse -> TestTree
-responseAssumeRole = res
-    "AssumeRoleResponse"
-    "fixture/AssumeRoleResponse.proto"
-    sts
-    (Proxy :: Proxy AssumeRole)
-
-responseDecodeAuthorizationMessage :: DecodeAuthorizationMessageResponse -> TestTree
-responseDecodeAuthorizationMessage = res
-    "DecodeAuthorizationMessageResponse"
-    "fixture/DecodeAuthorizationMessageResponse.proto"
-    sts
-    (Proxy :: Proxy DecodeAuthorizationMessage)
-
-responseAssumeRoleWithWebIdentity :: AssumeRoleWithWebIdentityResponse -> TestTree
-responseAssumeRoleWithWebIdentity = res
-    "AssumeRoleWithWebIdentityResponse"
-    "fixture/AssumeRoleWithWebIdentityResponse.proto"
-    sts
-    (Proxy :: Proxy AssumeRoleWithWebIdentity)
-
-responseGetFederationToken :: GetFederationTokenResponse -> TestTree
-responseGetFederationToken = res
-    "GetFederationTokenResponse"
-    "fixture/GetFederationTokenResponse.proto"
-    sts
-    (Proxy :: Proxy GetFederationToken)
-
-responseGetSessionToken :: GetSessionTokenResponse -> TestTree
-responseGetSessionToken = res
-    "GetSessionTokenResponse"
-    "fixture/GetSessionTokenResponse.proto"
-    sts
-    (Proxy :: Proxy GetSessionToken)
-
-responseAssumeRoleWithSAML :: AssumeRoleWithSAMLResponse -> TestTree
-responseAssumeRoleWithSAML = res
-    "AssumeRoleWithSAMLResponse"
-    "fixture/AssumeRoleWithSAMLResponse.proto"
-    sts
-    (Proxy :: Proxy AssumeRoleWithSAML)
diff --git a/test/Test/AWS/STS.hs b/test/Test/AWS/STS.hs
deleted file mode 100644
--- a/test/Test/AWS/STS.hs
+++ /dev/null
@@ -1,26 +0,0 @@
-{-# LANGUAGE OverloadedStrings #-}
-
--- Module      : Test.AWS.STS
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
--- Portability : non-portable (GHC extensions)
-
-module Test.AWS.STS
-    ( tests
-    , fixtures
-    ) where
-
-import           Network.AWS.STS
-import           Test.AWS.Gen.STS
-import           Test.Tasty
-
-tests :: [TestTree]
-tests = []
-
-fixtures :: [TestTree]
-fixtures = []
diff --git a/test/Test/AWS/STS/Internal.hs b/test/Test/AWS/STS/Internal.hs
deleted file mode 100644
--- a/test/Test/AWS/STS/Internal.hs
+++ /dev/null
@@ -1,16 +0,0 @@
-{-# LANGUAGE OverloadedStrings #-}
-{-# OPTIONS_GHC -fno-warn-unused-imports #-}
-
--- Module      : Test.AWS.STS.Internal
--- Copyright   : (c) 2013-2016 Brendan Hay
--- License     : This Source Code Form is subject to the terms of
---               the Mozilla Public License, v. 2.0.
---               A copy of the MPL can be found in the LICENSE file or
---               you can obtain it at http://mozilla.org/MPL/2.0/.
--- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
--- Stability   : experimental
--- Portability : non-portable (GHC extensions)
-
-module Test.AWS.STS.Internal where
-
-import Test.AWS.Prelude
diff --git a/test/Test/Amazonka/Gen/STS.hs b/test/Test/Amazonka/Gen/STS.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/Gen/STS.hs
@@ -0,0 +1,198 @@
+{-# OPTIONS_GHC -fno-warn-orphans #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Test.Amazonka.Gen.STS
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.Gen.STS where
+
+import Amazonka.STS
+import qualified Data.Proxy as Proxy
+import Test.Amazonka.Fixture
+import Test.Amazonka.Prelude
+import Test.Amazonka.STS.Internal
+import Test.Tasty
+
+-- Auto-generated: the actual test selection needs to be manually placed into
+-- the top-level so that real test data can be incrementally added.
+--
+-- This commented snippet is what the entire set should look like:
+
+-- fixtures :: TestTree
+-- fixtures =
+--     [ testGroup "request"
+--         [ requestAssumeRole $
+--             newAssumeRole
+--
+--         , requestAssumeRoleWithSAML $
+--             newAssumeRoleWithSAML
+--
+--         , requestAssumeRoleWithWebIdentity $
+--             newAssumeRoleWithWebIdentity
+--
+--         , requestDecodeAuthorizationMessage $
+--             newDecodeAuthorizationMessage
+--
+--         , requestGetAccessKeyInfo $
+--             newGetAccessKeyInfo
+--
+--         , requestGetCallerIdentity $
+--             newGetCallerIdentity
+--
+--         , requestGetFederationToken $
+--             newGetFederationToken
+--
+--         , requestGetSessionToken $
+--             newGetSessionToken
+--
+--           ]
+
+--     , testGroup "response"
+--         [ responseAssumeRole $
+--             newAssumeRoleResponse
+--
+--         , responseAssumeRoleWithSAML $
+--             newAssumeRoleWithSAMLResponse
+--
+--         , responseAssumeRoleWithWebIdentity $
+--             newAssumeRoleWithWebIdentityResponse
+--
+--         , responseDecodeAuthorizationMessage $
+--             newDecodeAuthorizationMessageResponse
+--
+--         , responseGetAccessKeyInfo $
+--             newGetAccessKeyInfoResponse
+--
+--         , responseGetCallerIdentity $
+--             newGetCallerIdentityResponse
+--
+--         , responseGetFederationToken $
+--             newGetFederationTokenResponse
+--
+--         , responseGetSessionToken $
+--             newGetSessionTokenResponse
+--
+--           ]
+--     ]
+
+-- Requests
+
+requestAssumeRole :: AssumeRole -> TestTree
+requestAssumeRole =
+  req
+    "AssumeRole"
+    "fixture/AssumeRole.yaml"
+
+requestAssumeRoleWithSAML :: AssumeRoleWithSAML -> TestTree
+requestAssumeRoleWithSAML =
+  req
+    "AssumeRoleWithSAML"
+    "fixture/AssumeRoleWithSAML.yaml"
+
+requestAssumeRoleWithWebIdentity :: AssumeRoleWithWebIdentity -> TestTree
+requestAssumeRoleWithWebIdentity =
+  req
+    "AssumeRoleWithWebIdentity"
+    "fixture/AssumeRoleWithWebIdentity.yaml"
+
+requestDecodeAuthorizationMessage :: DecodeAuthorizationMessage -> TestTree
+requestDecodeAuthorizationMessage =
+  req
+    "DecodeAuthorizationMessage"
+    "fixture/DecodeAuthorizationMessage.yaml"
+
+requestGetAccessKeyInfo :: GetAccessKeyInfo -> TestTree
+requestGetAccessKeyInfo =
+  req
+    "GetAccessKeyInfo"
+    "fixture/GetAccessKeyInfo.yaml"
+
+requestGetCallerIdentity :: GetCallerIdentity -> TestTree
+requestGetCallerIdentity =
+  req
+    "GetCallerIdentity"
+    "fixture/GetCallerIdentity.yaml"
+
+requestGetFederationToken :: GetFederationToken -> TestTree
+requestGetFederationToken =
+  req
+    "GetFederationToken"
+    "fixture/GetFederationToken.yaml"
+
+requestGetSessionToken :: GetSessionToken -> TestTree
+requestGetSessionToken =
+  req
+    "GetSessionToken"
+    "fixture/GetSessionToken.yaml"
+
+-- Responses
+
+responseAssumeRole :: AssumeRoleResponse -> TestTree
+responseAssumeRole =
+  res
+    "AssumeRoleResponse"
+    "fixture/AssumeRoleResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy AssumeRole)
+
+responseAssumeRoleWithSAML :: AssumeRoleWithSAMLResponse -> TestTree
+responseAssumeRoleWithSAML =
+  res
+    "AssumeRoleWithSAMLResponse"
+    "fixture/AssumeRoleWithSAMLResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy AssumeRoleWithSAML)
+
+responseAssumeRoleWithWebIdentity :: AssumeRoleWithWebIdentityResponse -> TestTree
+responseAssumeRoleWithWebIdentity =
+  res
+    "AssumeRoleWithWebIdentityResponse"
+    "fixture/AssumeRoleWithWebIdentityResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy AssumeRoleWithWebIdentity)
+
+responseDecodeAuthorizationMessage :: DecodeAuthorizationMessageResponse -> TestTree
+responseDecodeAuthorizationMessage =
+  res
+    "DecodeAuthorizationMessageResponse"
+    "fixture/DecodeAuthorizationMessageResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DecodeAuthorizationMessage)
+
+responseGetAccessKeyInfo :: GetAccessKeyInfoResponse -> TestTree
+responseGetAccessKeyInfo =
+  res
+    "GetAccessKeyInfoResponse"
+    "fixture/GetAccessKeyInfoResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy GetAccessKeyInfo)
+
+responseGetCallerIdentity :: GetCallerIdentityResponse -> TestTree
+responseGetCallerIdentity =
+  res
+    "GetCallerIdentityResponse"
+    "fixture/GetCallerIdentityResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy GetCallerIdentity)
+
+responseGetFederationToken :: GetFederationTokenResponse -> TestTree
+responseGetFederationToken =
+  res
+    "GetFederationTokenResponse"
+    "fixture/GetFederationTokenResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy GetFederationToken)
+
+responseGetSessionToken :: GetSessionTokenResponse -> TestTree
+responseGetSessionToken =
+  res
+    "GetSessionTokenResponse"
+    "fixture/GetSessionTokenResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy GetSessionToken)
diff --git a/test/Test/Amazonka/STS.hs b/test/Test/Amazonka/STS.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/STS.hs
@@ -0,0 +1,20 @@
+-- |
+-- Module      : Test.Amazonka.STS
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.STS
+  ( tests,
+    fixtures,
+  )
+where
+
+import Test.Tasty (TestTree)
+
+tests :: [TestTree]
+tests = []
+
+fixtures :: [TestTree]
+fixtures = []
diff --git a/test/Test/Amazonka/STS/Internal.hs b/test/Test/Amazonka/STS/Internal.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/STS/Internal.hs
@@ -0,0 +1,8 @@
+-- |
+-- Module      : Test.Amazonka.STS.Internal
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.STS.Internal where
