diff --git a/LICENSE b/LICENSE
new file mode 100644
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.
diff --git a/README.md b/README.md
new file mode 100644
--- /dev/null
+++ b/README.md
@@ -0,0 +1,26 @@
+# Amazon Security Token Service SDK
+
+> _Warning:_ This is an experimental preview release which is still under heavy development and not intended for public consumption, _caveat emptor_!
+
+* [description](#description)
+* [Contribute](#contribute)
+* [Licence](#licence)
+
+## Description
+
+The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
+
+Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-sts)
+and [AWS API Reference](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html).
+
+
+## Contribute
+
+For any problems, comments, or feedback please create an issue [here on GitHub](https://github.com/brendanhay/amazonka/issues).
+
+> _Note:_ this library is an auto-generated Haskell package. Please see `amazonka-gen` for more information.
+
+
+## Licence
+
+`amazonka-sts` is released under the [Mozilla Public License Version 2.0](http://www.mozilla.org/MPL/).
diff --git a/Setup.hs b/Setup.hs
new file mode 100644
--- /dev/null
+++ b/Setup.hs
@@ -0,0 +1,2 @@
+import Distribution.Simple
+main = defaultMain
diff --git a/amazonka-sts.cabal b/amazonka-sts.cabal
new file mode 100644
--- /dev/null
+++ b/amazonka-sts.cabal
@@ -0,0 +1,50 @@
+name:                  amazonka-sts
+version:               0.0.0
+synopsis:              Amazon Security Token Service SDK.
+homepage:              https://github.com/brendanhay/amazonka
+license:               OtherLicense
+license-file:          LICENSE
+author:                Brendan Hay
+maintainer:            Brendan Hay <brendan.g.hay@gmail.com>
+copyright:             Copyright (c) 2013-2014 Brendan Hay
+category:              Network, AWS, Cloud
+build-type:            Simple
+extra-source-files:    README.md
+cabal-version:         >= 1.10
+
+description:
+    The AWS Security Token Service (STS) is a web service that enables you
+    to request temporary, limited-privilege credentials for AWS Identity
+    and Access Management (IAM) users or for users that you authenticate
+    (federated users).
+    .
+    /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>
+    .
+    /Warning:/ This is an experimental preview release which is still under
+    heavy development and not intended for public consumption, caveat emptor!
+
+source-repository head
+    type:     git
+    location: git://github.com/brendanhay/amazonka.git
+
+library
+    default-language:  Haskell2010
+    hs-source-dirs:    src gen
+
+    ghc-options:       -Wall
+
+    exposed-modules:
+          Network.AWS.STS
+        , Network.AWS.STS.AssumeRole
+        , Network.AWS.STS.AssumeRoleWithSAML
+        , Network.AWS.STS.AssumeRoleWithWebIdentity
+        , Network.AWS.STS.DecodeAuthorizationMessage
+        , Network.AWS.STS.GetFederationToken
+        , Network.AWS.STS.GetSessionToken
+        , Network.AWS.STS.Types
+
+    other-modules:
+
+    build-depends:
+          amazonka-core
+        , base          >= 4.7 && < 5
diff --git a/gen/Network/AWS/STS.hs b/gen/Network/AWS/STS.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS.hs
@@ -0,0 +1,31 @@
+-- Module      : Network.AWS.STS
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+-- | The AWS Security Token Service (STS) is a web service that enables you to
+-- request temporary, limited-privilege credentials for AWS Identity and
+-- Access Management (IAM) users or for users that you authenticate (federated
+-- users).
+module Network.AWS.STS
+    ( module Network.AWS.STS.AssumeRole
+    , module Network.AWS.STS.AssumeRoleWithSAML
+    , module Network.AWS.STS.AssumeRoleWithWebIdentity
+    , module Network.AWS.STS.DecodeAuthorizationMessage
+    , module Network.AWS.STS.GetFederationToken
+    , module Network.AWS.STS.GetSessionToken
+    , module Network.AWS.STS.Types
+    ) where
+
+import Network.AWS.STS.AssumeRole
+import Network.AWS.STS.AssumeRoleWithSAML
+import Network.AWS.STS.AssumeRoleWithWebIdentity
+import Network.AWS.STS.DecodeAuthorizationMessage
+import Network.AWS.STS.GetFederationToken
+import Network.AWS.STS.GetSessionToken
+import Network.AWS.STS.Types
diff --git a/gen/Network/AWS/STS/AssumeRole.hs b/gen/Network/AWS/STS/AssumeRole.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/AssumeRole.hs
@@ -0,0 +1,282 @@
+{-# LANGUAGE DataKinds                   #-}
+{-# LANGUAGE DeriveGeneric               #-}
+{-# LANGUAGE FlexibleInstances           #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
+{-# LANGUAGE LambdaCase                  #-}
+{-# LANGUAGE NoImplicitPrelude           #-}
+{-# LANGUAGE OverloadedStrings           #-}
+{-# LANGUAGE RecordWildCards             #-}
+{-# LANGUAGE TypeFamilies                #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Network.AWS.STS.AssumeRole
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+-- | Returns a set of temporary security credentials (consisting of an access
+-- key ID, a secret access key, and a security token) that you can use to
+-- access AWS resources that you might not normally have access to. Typically,
+-- you use AssumeRole for cross-account access or federation. Important: You
+-- cannot call AssumeRole by using AWS account credentials; access will be
+-- denied. You must use IAM user credentials or temporary security credentials
+-- to call AssumeRole. For cross-account access, imagine that you own multiple
+-- accounts and need to access resources in each account. You could create
+-- long-term credentials in each account to access those resources. However,
+-- managing all those credentials and remembering which one can access which
+-- account can be time consuming. Instead, you can create one set of long-term
+-- credentials in one account and then use temporary security credentials to
+-- access all the other accounts by assuming roles in those accounts. For more
+-- information about roles, see Roles in Using IAM. For federation, you can,
+-- for example, grant single sign-on access to the AWS Management Console. If
+-- you already have an identity and authentication system in your corporate
+-- network, you don't have to recreate user identities in AWS in order to
+-- grant those user identities access to AWS. Instead, after a user has been
+-- authenticated, you call AssumeRole (and specify the role with the
+-- appropriate permissions) to get temporary security credentials for that
+-- user. With those temporary security credentials, you construct a sign-in
+-- URL that users can use to access the console. For more information, see
+-- Scenarios for Granting Temporary Access in Using Temporary Security
+-- Credentials. The temporary security credentials are valid for the duration
+-- that you specified when calling AssumeRole, which can be from 900 seconds
+-- (15 minutes) to 3600 seconds (1 hour). The default is 1 hour. Optionally,
+-- you can pass an IAM access policy to this operation. If you choose not to
+-- pass a policy, the temporary security credentials that are returned by the
+-- operation have the permissions that are defined in the access policy of the
+-- role that is being assumed. If you pass a policy to this operation, the
+-- temporary security credentials that are returned by the operation have the
+-- permissions that are allowed by both the access policy of the role that is
+-- being assumed, and the policy that you pass. This gives you a way to
+-- further restrict the permissions for the resulting temporary security
+-- credentials. You cannot use the passed policy to grant permissions that are
+-- in excess of those allowed by the access policy of the role that is being
+-- assumed. For more information, see Permissions for AssumeRole in Using
+-- Temporary Security Credentials. To assume a role, your AWS account must be
+-- trusted by the role. The trust relationship is defined in the role's trust
+-- policy when the role is created. You must also have a policy that allows
+-- you to call sts:AssumeRole. Using MFA with AssumeRole You can optionally
+-- include multi-factor authentication (MFA) information when you call
+-- AssumeRole. This is useful for cross-account scenarios in which you want to
+-- make sure that the user who is assuming the role has been authenticated
+-- using an AWS MFA device. In that scenario, the trust policy of the role
+-- being assumed includes a condition that tests for MFA authentication; if
+-- the caller does not include valid MFA information, the request to assume
+-- the role is denied. The condition in a trust policy that tests for MFA
+-- authentication might look like the following example. "Condition": {"Null":
+-- {"aws:MultiFactorAuthAge": false}} For more information, see Configuring
+-- MFA-Protected API Access in the Using IAM guide. To use MFA with
+-- AssumeRole, you pass values for the SerialNumber and TokenCode parameters.
+-- The SerialNumber value identifies the user's hardware or virtual MFA
+-- device. The TokenCode is the time-based one-time password (TOTP) that the
+-- MFA devices produces.
+--
+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>
+module Network.AWS.STS.AssumeRole
+    (
+    -- * Request
+      AssumeRole
+    -- ** Request constructor
+    , assumeRole
+    -- ** Request lenses
+    , arDurationSeconds
+    , arExternalId
+    , arPolicy
+    , arRoleArn
+    , arRoleSessionName
+    , arSerialNumber
+    , arTokenCode
+
+    -- * Response
+    , AssumeRoleResponse
+    -- ** Response constructor
+    , assumeRoleResponse
+    -- ** Response lenses
+    , arrAssumedRoleUser
+    , arrCredentials
+    , arrPackedPolicySize
+    ) where
+
+import Network.AWS.Prelude
+import Network.AWS.Request.Query
+import Network.AWS.STS.Types
+import qualified GHC.Exts
+
+data AssumeRole = AssumeRole
+    { _arDurationSeconds :: Maybe Nat
+    , _arExternalId      :: Maybe Text
+    , _arPolicy          :: Maybe Text
+    , _arRoleArn         :: Text
+    , _arRoleSessionName :: Text
+    , _arSerialNumber    :: Maybe Text
+    , _arTokenCode       :: Maybe Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'AssumeRole' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'arDurationSeconds' @::@ 'Maybe' 'Natural'
+--
+-- * 'arExternalId' @::@ 'Maybe' 'Text'
+--
+-- * 'arPolicy' @::@ 'Maybe' 'Text'
+--
+-- * 'arRoleArn' @::@ 'Text'
+--
+-- * 'arRoleSessionName' @::@ 'Text'
+--
+-- * 'arSerialNumber' @::@ 'Maybe' 'Text'
+--
+-- * 'arTokenCode' @::@ 'Maybe' 'Text'
+--
+assumeRole :: Text -- ^ 'arRoleArn'
+           -> Text -- ^ 'arRoleSessionName'
+           -> AssumeRole
+assumeRole p1 p2 = AssumeRole
+    { _arRoleArn         = p1
+    , _arRoleSessionName = p2
+    , _arPolicy          = Nothing
+    , _arDurationSeconds = Nothing
+    , _arExternalId      = Nothing
+    , _arSerialNumber    = Nothing
+    , _arTokenCode       = Nothing
+    }
+
+-- | The duration, in seconds, of the role session. The value can range from
+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
+-- is set to 3600 seconds.
+arDurationSeconds :: Lens' AssumeRole (Maybe Natural)
+arDurationSeconds =
+    lens _arDurationSeconds (\s a -> s { _arDurationSeconds = a })
+        . mapping _Nat
+
+-- | A unique identifier that is used by third parties to assume a role in
+-- their customers' accounts. For each role that the third party can assume,
+-- they should instruct their customers to create a role with the external
+-- ID that the third party generated. Each time the third party assumes the
+-- role, they must pass the customer's external ID. The external ID is
+-- useful in order to help third parties bind a role to the customer who
+-- created it. For more information about the external ID, see About the
+-- External ID in Using Temporary Security Credentials.
+arExternalId :: Lens' AssumeRole (Maybe Text)
+arExternalId = lens _arExternalId (\s a -> s { _arExternalId = a })
+
+-- | An IAM policy in JSON format. The policy parameter is optional. If you
+-- pass a policy, the temporary security credentials that are returned by
+-- the operation have the permissions that are allowed by both the access
+-- policy of the role that is being assumed, and the policy that you pass.
+-- This gives you a way to further restrict the permissions for the
+-- resulting temporary security credentials. You cannot use the passed
+-- policy to grant permissions that are in excess of those allowed by the
+-- access policy of the role that is being assumed. For more information,
+-- see Permissions for AssumeRole in Using Temporary Security Credentials.
+arPolicy :: Lens' AssumeRole (Maybe Text)
+arPolicy = lens _arPolicy (\s a -> s { _arPolicy = a })
+
+-- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
+arRoleArn :: Lens' AssumeRole Text
+arRoleArn = lens _arRoleArn (\s a -> s { _arRoleArn = a })
+
+-- | An identifier for the assumed role session. The session name is included
+-- as part of the AssumedRoleUser.
+arRoleSessionName :: Lens' AssumeRole Text
+arRoleSessionName =
+    lens _arRoleSessionName (\s a -> s { _arRoleSessionName = a })
+
+-- | The identification number of the MFA device that is associated with the
+-- user who is making the AssumeRole call. Specify this value if the trust
+-- policy of the role being assumed includes a condition that requires MFA
+-- authentication. The value is either the serial number for a hardware
+-- device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a
+-- virtual device (such as arn:aws:iam::123456789012:mfa/user).
+arSerialNumber :: Lens' AssumeRole (Maybe Text)
+arSerialNumber = lens _arSerialNumber (\s a -> s { _arSerialNumber = a })
+
+-- | The value provided by the MFA device, if the trust policy of the role
+-- being assumed requires MFA (that is, if the policy includes a condition
+-- that tests for MFA). If the role being assumed requires MFA and if the
+-- TokenCode value is missing or expired, the AssumeRole call returns an
+-- "access denied" error.
+arTokenCode :: Lens' AssumeRole (Maybe Text)
+arTokenCode = lens _arTokenCode (\s a -> s { _arTokenCode = a })
+
+data AssumeRoleResponse = AssumeRoleResponse
+    { _arrAssumedRoleUser  :: Maybe AssumedRoleUser
+    , _arrCredentials      :: Maybe Credentials
+    , _arrPackedPolicySize :: Maybe Nat
+    } deriving (Eq, Show)
+
+-- | 'AssumeRoleResponse' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'arrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'
+--
+-- * 'arrCredentials' @::@ 'Maybe' 'Credentials'
+--
+-- * 'arrPackedPolicySize' @::@ 'Maybe' 'Natural'
+--
+assumeRoleResponse :: AssumeRoleResponse
+assumeRoleResponse = AssumeRoleResponse
+    { _arrCredentials      = Nothing
+    , _arrAssumedRoleUser  = Nothing
+    , _arrPackedPolicySize = Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are
+-- identifiers that you can use to refer to the resulting temporary security
+-- credentials. For example, you can reference these credentials as a
+-- principal in a resource-based policy by using the ARN or assumed role ID.
+-- The ARN and ID include the RoleSessionName that you specified when you
+-- called AssumeRole.
+arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
+arrAssumedRoleUser =
+    lens _arrAssumedRoleUser (\s a -> s { _arrAssumedRoleUser = a })
+
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security (or session) token.
+arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
+arrCredentials = lens _arrCredentials (\s a -> s { _arrCredentials = a })
+
+-- | A percentage value that indicates the size of the policy in packed form.
+-- The service rejects any policy with a packed size greater than 100
+-- percent, which means the policy exceeded the allowed space.
+arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
+arrPackedPolicySize =
+    lens _arrPackedPolicySize (\s a -> s { _arrPackedPolicySize = a })
+        . mapping _Nat
+
+instance ToPath AssumeRole where
+    toPath = const "/"
+
+instance ToQuery AssumeRole where
+    toQuery AssumeRole{..} = mconcat
+        [ "DurationSeconds" =? _arDurationSeconds
+        , "ExternalId"      =? _arExternalId
+        , "Policy"          =? _arPolicy
+        , "RoleArn"         =? _arRoleArn
+        , "RoleSessionName" =? _arRoleSessionName
+        , "SerialNumber"    =? _arSerialNumber
+        , "TokenCode"       =? _arTokenCode
+        ]
+
+instance ToHeaders AssumeRole
+
+instance AWSRequest AssumeRole where
+    type Sv AssumeRole = STS
+    type Rs AssumeRole = AssumeRoleResponse
+
+    request  = post "AssumeRole"
+    response = xmlResponse
+
+instance FromXML AssumeRoleResponse where
+    parseXML = withElement "AssumeRoleResult" $ \x -> AssumeRoleResponse
+        <$> x .@? "AssumedRoleUser"
+        <*> x .@? "Credentials"
+        <*> x .@? "PackedPolicySize"
diff --git a/gen/Network/AWS/STS/AssumeRoleWithSAML.hs b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/AssumeRoleWithSAML.hs
@@ -0,0 +1,292 @@
+{-# LANGUAGE DataKinds                   #-}
+{-# LANGUAGE DeriveGeneric               #-}
+{-# LANGUAGE FlexibleInstances           #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
+{-# LANGUAGE LambdaCase                  #-}
+{-# LANGUAGE NoImplicitPrelude           #-}
+{-# LANGUAGE OverloadedStrings           #-}
+{-# LANGUAGE RecordWildCards             #-}
+{-# LANGUAGE TypeFamilies                #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Network.AWS.STS.AssumeRoleWithSAML
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+-- | Returns a set of temporary security credentials for users who have been
+-- authenticated via a SAML authentication response. This operation provides a
+-- mechanism for tying an enterprise identity store or directory to role-based
+-- AWS access without user-specific credentials or configuration. The
+-- temporary security credentials returned by this operation consist of an
+-- access key ID, a secret access key, and a security token. Applications can
+-- use these temporary security credentials to sign calls to AWS services. The
+-- credentials are valid for the duration that you specified when calling
+-- AssumeRoleWithSAML, which can be up to 3600 seconds (1 hour) or until the
+-- time specified in the SAML authentication response's NotOnOrAfter value,
+-- whichever is shorter. Optionally, you can pass an IAM access policy to this
+-- operation. If you choose not to pass a policy, the temporary security
+-- credentials that are returned by the operation have the permissions that
+-- are defined in the access policy of the role that is being assumed. If you
+-- pass a policy to this operation, the temporary security credentials that
+-- are returned by the operation have the permissions that are allowed by both
+-- the access policy of the role that is being assumed, and the policy that
+-- you pass. This gives you a way to further restrict the permissions for the
+-- resulting temporary security credentials. You cannot use the passed policy
+-- to grant permissions that are in excess of those allowed by the access
+-- policy of the role that is being assumed. For more information, see
+-- Permissions for AssumeRoleWithSAML in Using Temporary Security Credentials.
+-- Before your application can call AssumeRoleWithSAML, you must configure
+-- your SAML identity provider (IdP) to issue the claims required by AWS.
+-- Additionally, you must use AWS Identity and Access Management (IAM) to
+-- create a SAML provider entity in your AWS account that represents your
+-- identity provider, and create an IAM role that specifies this SAML provider
+-- in its trust policy. Calling AssumeRoleWithSAML does not require the use of
+-- AWS security credentials. The identity of the caller is validated by using
+-- keys in the metadata document that is uploaded for the SAML provider entity
+-- for your identity provider. For more information, see the following
+-- resources: Creating Temporary Security Credentials for SAML Federation in
+-- Using Temporary Security Credentials. SAML Providers in Using IAM.
+-- Configuring a Relying Party and Claims in Using IAM. Creating a Role for
+-- SAML-Based Federation in Using IAM.
+--
+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html>
+module Network.AWS.STS.AssumeRoleWithSAML
+    (
+    -- * Request
+      AssumeRoleWithSAML
+    -- ** Request constructor
+    , assumeRoleWithSAML
+    -- ** Request lenses
+    , arwsamlDurationSeconds
+    , arwsamlPolicy
+    , arwsamlPrincipalArn
+    , arwsamlRoleArn
+    , arwsamlSAMLAssertion
+
+    -- * Response
+    , AssumeRoleWithSAMLResponse
+    -- ** Response constructor
+    , assumeRoleWithSAMLResponse
+    -- ** Response lenses
+    , arwsamlrAssumedRoleUser
+    , arwsamlrAudience
+    , arwsamlrCredentials
+    , arwsamlrIssuer
+    , arwsamlrNameQualifier
+    , arwsamlrPackedPolicySize
+    , arwsamlrSubject
+    , arwsamlrSubjectType
+    ) where
+
+import Network.AWS.Prelude
+import Network.AWS.Request.Query
+import Network.AWS.STS.Types
+import qualified GHC.Exts
+
+data AssumeRoleWithSAML = AssumeRoleWithSAML
+    { _arwsamlDurationSeconds :: Maybe Nat
+    , _arwsamlPolicy          :: Maybe Text
+    , _arwsamlPrincipalArn    :: Text
+    , _arwsamlRoleArn         :: Text
+    , _arwsamlSAMLAssertion   :: Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'AssumeRoleWithSAML' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'arwsamlDurationSeconds' @::@ 'Maybe' 'Natural'
+--
+-- * 'arwsamlPolicy' @::@ 'Maybe' 'Text'
+--
+-- * 'arwsamlPrincipalArn' @::@ 'Text'
+--
+-- * 'arwsamlRoleArn' @::@ 'Text'
+--
+-- * 'arwsamlSAMLAssertion' @::@ 'Text'
+--
+assumeRoleWithSAML :: Text -- ^ 'arwsamlRoleArn'
+                   -> Text -- ^ 'arwsamlPrincipalArn'
+                   -> Text -- ^ 'arwsamlSAMLAssertion'
+                   -> AssumeRoleWithSAML
+assumeRoleWithSAML p1 p2 p3 = AssumeRoleWithSAML
+    { _arwsamlRoleArn         = p1
+    , _arwsamlPrincipalArn    = p2
+    , _arwsamlSAMLAssertion   = p3
+    , _arwsamlPolicy          = Nothing
+    , _arwsamlDurationSeconds = Nothing
+    }
+
+-- | The duration, in seconds, of the role session. The value can range from
+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
+-- is set to 3600 seconds. An expiration can also be specified in the SAML
+-- authentication response's NotOnOrAfter value. The actual expiration time
+-- is whichever value is shorter.
+arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)
+arwsamlDurationSeconds =
+    lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a })
+        . mapping _Nat
+
+-- | An IAM policy in JSON format. The policy parameter is optional. If you
+-- pass a policy, the temporary security credentials that are returned by
+-- the operation have the permissions that are allowed by both the access
+-- policy of the role that is being assumed, and the policy that you pass.
+-- This gives you a way to further restrict the permissions for the
+-- resulting temporary security credentials. You cannot use the passed
+-- policy to grant permissions that are in excess of those allowed by the
+-- access policy of the role that is being assumed. For more information,
+-- see Permissions for AssumeRoleWithSAML in Using Temporary Security
+-- Credentials.
+arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)
+arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a })
+
+-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
+-- the IdP.
+arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text
+arwsamlPrincipalArn =
+    lens _arwsamlPrincipalArn (\s a -> s { _arwsamlPrincipalArn = a })
+
+-- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
+arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text
+arwsamlRoleArn = lens _arwsamlRoleArn (\s a -> s { _arwsamlRoleArn = a })
+
+-- | The base-64 encoded SAML authentication response provided by the IdP. For
+-- more information, see Configuring a Relying Party and Adding Claims in
+-- the Using IAM guide.
+arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text
+arwsamlSAMLAssertion =
+    lens _arwsamlSAMLAssertion (\s a -> s { _arwsamlSAMLAssertion = a })
+
+data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse
+    { _arwsamlrAssumedRoleUser  :: Maybe AssumedRoleUser
+    , _arwsamlrAudience         :: Maybe Text
+    , _arwsamlrCredentials      :: Maybe Credentials
+    , _arwsamlrIssuer           :: Maybe Text
+    , _arwsamlrNameQualifier    :: Maybe Text
+    , _arwsamlrPackedPolicySize :: Maybe Nat
+    , _arwsamlrSubject          :: Maybe Text
+    , _arwsamlrSubjectType      :: Maybe Text
+    } deriving (Eq, Show)
+
+-- | 'AssumeRoleWithSAMLResponse' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'arwsamlrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'
+--
+-- * 'arwsamlrAudience' @::@ 'Maybe' 'Text'
+--
+-- * 'arwsamlrCredentials' @::@ 'Maybe' 'Credentials'
+--
+-- * 'arwsamlrIssuer' @::@ 'Maybe' 'Text'
+--
+-- * 'arwsamlrNameQualifier' @::@ 'Maybe' 'Text'
+--
+-- * 'arwsamlrPackedPolicySize' @::@ 'Maybe' 'Natural'
+--
+-- * 'arwsamlrSubject' @::@ 'Maybe' 'Text'
+--
+-- * 'arwsamlrSubjectType' @::@ 'Maybe' 'Text'
+--
+assumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse
+assumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse
+    { _arwsamlrCredentials      = Nothing
+    , _arwsamlrAssumedRoleUser  = Nothing
+    , _arwsamlrPackedPolicySize = Nothing
+    , _arwsamlrSubject          = Nothing
+    , _arwsamlrSubjectType      = Nothing
+    , _arwsamlrIssuer           = Nothing
+    , _arwsamlrAudience         = Nothing
+    , _arwsamlrNameQualifier    = Nothing
+    }
+
+arwsamlrAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
+arwsamlrAssumedRoleUser =
+    lens _arwsamlrAssumedRoleUser (\s a -> s { _arwsamlrAssumedRoleUser = a })
+
+-- | The value of the Recipient attribute of the SubjectConfirmationData
+-- element of the SAML assertion.
+arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrAudience = lens _arwsamlrAudience (\s a -> s { _arwsamlrAudience = a })
+
+arwsamlrCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)
+arwsamlrCredentials =
+    lens _arwsamlrCredentials (\s a -> s { _arwsamlrCredentials = a })
+
+-- | The value of the Issuer element of the SAML assertion.
+arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrIssuer = lens _arwsamlrIssuer (\s a -> s { _arwsamlrIssuer = a })
+
+-- | A hash value based on the concatenation of the Issuer response value, the
+-- AWS account ID, and the friendly name (the last part of the ARN) of the
+-- SAML provider in IAM. The combination of NameQualifier and Subject can be
+-- used to uniquely identify a federated user. The following pseudocode
+-- shows how the hash value is calculated: BASE64 ( SHA1 (
+-- "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ).
+arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrNameQualifier =
+    lens _arwsamlrNameQualifier (\s a -> s { _arwsamlrNameQualifier = a })
+
+-- | A percentage value that indicates the size of the policy in packed form.
+-- The service rejects any policy with a packed size greater than 100
+-- percent, which means the policy exceeded the allowed space.
+arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
+arwsamlrPackedPolicySize =
+    lens _arwsamlrPackedPolicySize
+        (\s a -> s { _arwsamlrPackedPolicySize = a })
+            . mapping _Nat
+
+-- | The value of the NameID element in the Subject element of the SAML
+-- assertion.
+arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrSubject = lens _arwsamlrSubject (\s a -> s { _arwsamlrSubject = a })
+
+-- | The format of the name ID, as defined by the Format attribute in the
+-- NameID element of the SAML assertion. Typical examples of the format are
+-- transient or persistent. If the format includes the prefix
+-- urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For
+-- example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned
+-- as transient. If the format includes any other prefix, the format is
+-- returned with no modifications.
+arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+arwsamlrSubjectType =
+    lens _arwsamlrSubjectType (\s a -> s { _arwsamlrSubjectType = a })
+
+instance ToPath AssumeRoleWithSAML where
+    toPath = const "/"
+
+instance ToQuery AssumeRoleWithSAML where
+    toQuery AssumeRoleWithSAML{..} = mconcat
+        [ "DurationSeconds" =? _arwsamlDurationSeconds
+        , "Policy"          =? _arwsamlPolicy
+        , "PrincipalArn"    =? _arwsamlPrincipalArn
+        , "RoleArn"         =? _arwsamlRoleArn
+        , "SAMLAssertion"   =? _arwsamlSAMLAssertion
+        ]
+
+instance ToHeaders AssumeRoleWithSAML
+
+instance AWSRequest AssumeRoleWithSAML where
+    type Sv AssumeRoleWithSAML = STS
+    type Rs AssumeRoleWithSAML = AssumeRoleWithSAMLResponse
+
+    request  = post "AssumeRoleWithSAML"
+    response = xmlResponse
+
+instance FromXML AssumeRoleWithSAMLResponse where
+    parseXML = withElement "AssumeRoleWithSAMLResult" $ \x -> AssumeRoleWithSAMLResponse
+        <$> x .@? "AssumedRoleUser"
+        <*> x .@? "Audience"
+        <*> x .@? "Credentials"
+        <*> x .@? "Issuer"
+        <*> x .@? "NameQualifier"
+        <*> x .@? "PackedPolicySize"
+        <*> x .@? "Subject"
+        <*> x .@? "SubjectType"
diff --git a/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs
@@ -0,0 +1,306 @@
+{-# LANGUAGE DataKinds                   #-}
+{-# LANGUAGE DeriveGeneric               #-}
+{-# LANGUAGE FlexibleInstances           #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
+{-# LANGUAGE LambdaCase                  #-}
+{-# LANGUAGE NoImplicitPrelude           #-}
+{-# LANGUAGE OverloadedStrings           #-}
+{-# LANGUAGE RecordWildCards             #-}
+{-# LANGUAGE TypeFamilies                #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Network.AWS.STS.AssumeRoleWithWebIdentity
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+-- | Returns a set of temporary security credentials for users who have been
+-- authenticated in a mobile or web application with a web identity provider,
+-- such as Login with Amazon, Amazon Cognito, Facebook, or Google. Calling
+-- AssumeRoleWithWebIdentity does not require the use of AWS security
+-- credentials. Therefore, you can distribute an application (for example, on
+-- mobile devices) that requests temporary security credentials without
+-- including long-term AWS credentials in the application, and without
+-- deploying server-based proxy services that use long-term AWS credentials.
+-- Instead, the identity of the caller is validated by using a token from the
+-- web identity provider. The temporary security credentials returned by this
+-- API consist of an access key ID, a secret access key, and a security token.
+-- Applications can use these temporary security credentials to sign calls to
+-- AWS service APIs. The credentials are valid for the duration that you
+-- specified when calling AssumeRoleWithWebIdentity, which can be from 900
+-- seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary
+-- security credentials are valid for 1 hour. Optionally, you can pass an IAM
+-- access policy to this operation. If you choose not to pass a policy, the
+-- temporary security credentials that are returned by the operation have the
+-- permissions that are defined in the access policy of the role that is being
+-- assumed. If you pass a policy to this operation, the temporary security
+-- credentials that are returned by the operation have the permissions that
+-- are allowed by both the access policy of the role that is being assumed,
+-- and the policy that you pass. This gives you a way to further restrict the
+-- permissions for the resulting temporary security credentials. You cannot
+-- use the passed policy to grant permissions that are in excess of those
+-- allowed by the access policy of the role that is being assumed. For more
+-- information, see Permissions for AssumeRoleWithWebIdentity in Using
+-- Temporary Security Credentials. Before your application can call
+-- AssumeRoleWithWebIdentity, you must have an identity token from a supported
+-- identity provider and create a role that the application can assume. The
+-- role that your application assumes must trust the identity provider that is
+-- associated with the identity token. In other words, the identity provider
+-- must be specified in the role's trust policy. For more information about
+-- how to use web identity federation and the AssumeRoleWithWebIdentity, see
+-- the following resources: Creating a Mobile Application with Third-Party
+-- Sign-In and Creating Temporary Security Credentials for Mobile Apps Using
+-- Third-Party Identity Providers in Using Temporary Security Credentials. Web
+-- Identity Federation Playground. This interactive website lets you walk
+-- through the process of authenticating via Login with Amazon, Facebook, or
+-- Google, getting temporary security credentials, and then using those
+-- credentials to make a request to AWS. AWS SDK for iOS and AWS SDK for
+-- Android. These toolkits contain sample apps that show how to invoke the
+-- identity providers, and then how to use the information from these
+-- providers to get and use temporary security credentials. Web Identity
+-- Federation with Mobile Applications. This article discusses web identity
+-- federation and shows an example of how to use web identity federation to
+-- get access to content in Amazon S3.
+--
+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>
+module Network.AWS.STS.AssumeRoleWithWebIdentity
+    (
+    -- * Request
+      AssumeRoleWithWebIdentity
+    -- ** Request constructor
+    , assumeRoleWithWebIdentity
+    -- ** Request lenses
+    , arwwiDurationSeconds
+    , arwwiPolicy
+    , arwwiProviderId
+    , arwwiRoleArn
+    , arwwiRoleSessionName
+    , arwwiWebIdentityToken
+
+    -- * Response
+    , AssumeRoleWithWebIdentityResponse
+    -- ** Response constructor
+    , assumeRoleWithWebIdentityResponse
+    -- ** Response lenses
+    , arwwirAssumedRoleUser
+    , arwwirAudience
+    , arwwirCredentials
+    , arwwirPackedPolicySize
+    , arwwirProvider
+    , arwwirSubjectFromWebIdentityToken
+    ) where
+
+import Network.AWS.Prelude
+import Network.AWS.Request.Query
+import Network.AWS.STS.Types
+import qualified GHC.Exts
+
+data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity
+    { _arwwiDurationSeconds  :: Maybe Nat
+    , _arwwiPolicy           :: Maybe Text
+    , _arwwiProviderId       :: Maybe Text
+    , _arwwiRoleArn          :: Text
+    , _arwwiRoleSessionName  :: Text
+    , _arwwiWebIdentityToken :: Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'AssumeRoleWithWebIdentity' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'arwwiDurationSeconds' @::@ 'Maybe' 'Natural'
+--
+-- * 'arwwiPolicy' @::@ 'Maybe' 'Text'
+--
+-- * 'arwwiProviderId' @::@ 'Maybe' 'Text'
+--
+-- * 'arwwiRoleArn' @::@ 'Text'
+--
+-- * 'arwwiRoleSessionName' @::@ 'Text'
+--
+-- * 'arwwiWebIdentityToken' @::@ 'Text'
+--
+assumeRoleWithWebIdentity :: Text -- ^ 'arwwiRoleArn'
+                          -> Text -- ^ 'arwwiRoleSessionName'
+                          -> Text -- ^ 'arwwiWebIdentityToken'
+                          -> AssumeRoleWithWebIdentity
+assumeRoleWithWebIdentity p1 p2 p3 = AssumeRoleWithWebIdentity
+    { _arwwiRoleArn          = p1
+    , _arwwiRoleSessionName  = p2
+    , _arwwiWebIdentityToken = p3
+    , _arwwiProviderId       = Nothing
+    , _arwwiPolicy           = Nothing
+    , _arwwiDurationSeconds  = Nothing
+    }
+
+-- | The duration, in seconds, of the role session. The value can range from
+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value
+-- is set to 3600 seconds.
+arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)
+arwwiDurationSeconds =
+    lens _arwwiDurationSeconds (\s a -> s { _arwwiDurationSeconds = a })
+        . mapping _Nat
+
+-- | An IAM policy in JSON format. The policy parameter is optional. If you
+-- pass a policy, the temporary security credentials that are returned by
+-- the operation have the permissions that are allowed by both the access
+-- policy of the role that is being assumed, and the policy that you pass.
+-- This gives you a way to further restrict the permissions for the
+-- resulting temporary security credentials. You cannot use the passed
+-- policy to grant permissions that are in excess of those allowed by the
+-- access policy of the role that is being assumed. For more information,
+-- see Permissions for AssumeRoleWithWebIdentity in Using Temporary Security
+-- Credentials.
+arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
+arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a })
+
+-- | The fully-qualified host component of the domain name of the identity
+-- provider. Specify this value only for OAuth access tokens. Do not specify
+-- this value for OpenID Connect ID tokens, such as accounts.google.com. Do
+-- not include URL schemes and port numbers. Currently, www.amazon.com and
+-- graph.facebook.com are supported.
+arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)
+arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a })
+
+-- | The Amazon Resource Name (ARN) of the role that the caller is assuming.
+arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text
+arwwiRoleArn = lens _arwwiRoleArn (\s a -> s { _arwwiRoleArn = a })
+
+-- | An identifier for the assumed role session. Typically, you pass the name
+-- or identifier that is associated with the user who is using your
+-- application. That way, the temporary security credentials that your
+-- application will use are associated with that user. This session name is
+-- included as part of the ARN and assumed role ID in the AssumedRoleUser
+-- response element.
+arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text
+arwwiRoleSessionName =
+    lens _arwwiRoleSessionName (\s a -> s { _arwwiRoleSessionName = a })
+
+-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by
+-- the identity provider. Your application must get this token by
+-- authenticating the user who is using your application with a web identity
+-- provider before the application makes an AssumeRoleWithWebIdentity call.
+arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text
+arwwiWebIdentityToken =
+    lens _arwwiWebIdentityToken (\s a -> s { _arwwiWebIdentityToken = a })
+
+data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse
+    { _arwwirAssumedRoleUser             :: Maybe AssumedRoleUser
+    , _arwwirAudience                    :: Maybe Text
+    , _arwwirCredentials                 :: Maybe Credentials
+    , _arwwirPackedPolicySize            :: Maybe Nat
+    , _arwwirProvider                    :: Maybe Text
+    , _arwwirSubjectFromWebIdentityToken :: Maybe Text
+    } deriving (Eq, Show)
+
+-- | 'AssumeRoleWithWebIdentityResponse' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'arwwirAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'
+--
+-- * 'arwwirAudience' @::@ 'Maybe' 'Text'
+--
+-- * 'arwwirCredentials' @::@ 'Maybe' 'Credentials'
+--
+-- * 'arwwirPackedPolicySize' @::@ 'Maybe' 'Natural'
+--
+-- * 'arwwirProvider' @::@ 'Maybe' 'Text'
+--
+-- * 'arwwirSubjectFromWebIdentityToken' @::@ 'Maybe' 'Text'
+--
+assumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse
+assumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse
+    { _arwwirCredentials                 = Nothing
+    , _arwwirSubjectFromWebIdentityToken = Nothing
+    , _arwwirAssumedRoleUser             = Nothing
+    , _arwwirPackedPolicySize            = Nothing
+    , _arwwirProvider                    = Nothing
+    , _arwwirAudience                    = Nothing
+    }
+
+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are
+-- identifiers that you can use to refer to the resulting temporary security
+-- credentials. For example, you can reference these credentials as a
+-- principal in a resource-based policy by using the ARN or assumed role ID.
+-- The ARN and ID include the RoleSessionName that you specified when you
+-- called AssumeRole.
+arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
+arwwirAssumedRoleUser =
+    lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a })
+
+-- | The intended audience of the web identity token. This is traditionally
+-- the client identifier issued to the application that requested the web
+-- identity token.
+arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a })
+
+-- | The temporary security credentials, which include an access key ID, a
+-- secret access key, and a security token.
+arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
+arwwirCredentials =
+    lens _arwwirCredentials (\s a -> s { _arwwirCredentials = a })
+
+-- | A percentage value that indicates the size of the policy in packed form.
+-- The service rejects any policy with a packed size greater than 100
+-- percent, which means the policy exceeded the allowed space.
+arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
+arwwirPackedPolicySize =
+    lens _arwwirPackedPolicySize (\s a -> s { _arwwirPackedPolicySize = a })
+        . mapping _Nat
+
+-- | The issuing authority of the web identity token presented. For OpenID
+-- Connect ID Tokens this contains the value of the iss field. For OAuth 2.0
+-- Access Tokens, this contains the value of the ProviderId parameter that
+-- was passed in the AssumeRoleWithWebIdentity request.
+arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a })
+
+-- | The unique user identifier that is returned by the identity provider.
+-- This identifier is associated with the WebIdentityToken that was
+-- submitted with the AssumeRoleWithWebIdentity call. The identifier is
+-- typically unique to the user and the application that acquired the
+-- WebIdentityToken (pairwise identifier). If an OpenID Connect ID token was
+-- submitted in the WebIdentityToken, this value is returned by the identity
+-- provider as the token's sub (Subject) claim.
+arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+arwwirSubjectFromWebIdentityToken =
+    lens _arwwirSubjectFromWebIdentityToken
+        (\s a -> s { _arwwirSubjectFromWebIdentityToken = a })
+
+instance ToPath AssumeRoleWithWebIdentity where
+    toPath = const "/"
+
+instance ToQuery AssumeRoleWithWebIdentity where
+    toQuery AssumeRoleWithWebIdentity{..} = mconcat
+        [ "DurationSeconds"  =? _arwwiDurationSeconds
+        , "Policy"           =? _arwwiPolicy
+        , "ProviderId"       =? _arwwiProviderId
+        , "RoleArn"          =? _arwwiRoleArn
+        , "RoleSessionName"  =? _arwwiRoleSessionName
+        , "WebIdentityToken" =? _arwwiWebIdentityToken
+        ]
+
+instance ToHeaders AssumeRoleWithWebIdentity
+
+instance AWSRequest AssumeRoleWithWebIdentity where
+    type Sv AssumeRoleWithWebIdentity = STS
+    type Rs AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentityResponse
+
+    request  = post "AssumeRoleWithWebIdentity"
+    response = xmlResponse
+
+instance FromXML AssumeRoleWithWebIdentityResponse where
+    parseXML = withElement "AssumeRoleWithWebIdentityResult" $ \x -> AssumeRoleWithWebIdentityResponse
+        <$> x .@? "AssumedRoleUser"
+        <*> x .@? "Audience"
+        <*> x .@? "Credentials"
+        <*> x .@? "PackedPolicySize"
+        <*> x .@? "Provider"
+        <*> x .@? "SubjectFromWebIdentityToken"
diff --git a/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/DecodeAuthorizationMessage.hs
@@ -0,0 +1,125 @@
+{-# LANGUAGE DataKinds                   #-}
+{-# LANGUAGE DeriveGeneric               #-}
+{-# LANGUAGE FlexibleInstances           #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
+{-# LANGUAGE LambdaCase                  #-}
+{-# LANGUAGE NoImplicitPrelude           #-}
+{-# LANGUAGE OverloadedStrings           #-}
+{-# LANGUAGE RecordWildCards             #-}
+{-# LANGUAGE TypeFamilies                #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Network.AWS.STS.DecodeAuthorizationMessage
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+-- | Decodes additional information about the authorization status of a request
+-- from an encoded message returned in response to an AWS request. For
+-- example, if a user is not authorized to perform an action that he or she
+-- has requested, the request returns a Client.UnauthorizedOperation response
+-- (an HTTP 403 response). Some AWS actions additionally return an encoded
+-- message that can provide details about this authorization failure. The
+-- message is encoded because the details of the authorization status can
+-- constitute privileged information that the user who requested the action
+-- should not see. To decode an authorization status message, a user must be
+-- granted permissions via an IAM policy to request the
+-- DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action. The
+-- decoded message includes the following type of information: Whether the
+-- request was denied due to an explicit deny or due to the absence of an
+-- explicit allow. For more information, see Determining Whether a Request is
+-- Allowed or Denied in Using IAM. The principal who made the request. The
+-- requested action. The requested resource. The values of condition keys in
+-- the context of the user's request.
+--
+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html>
+module Network.AWS.STS.DecodeAuthorizationMessage
+    (
+    -- * Request
+      DecodeAuthorizationMessage
+    -- ** Request constructor
+    , decodeAuthorizationMessage
+    -- ** Request lenses
+    , damEncodedMessage
+
+    -- * Response
+    , DecodeAuthorizationMessageResponse
+    -- ** Response constructor
+    , decodeAuthorizationMessageResponse
+    -- ** Response lenses
+    , damrDecodedMessage
+    ) where
+
+import Network.AWS.Prelude
+import Network.AWS.Request.Query
+import Network.AWS.STS.Types
+import qualified GHC.Exts
+
+newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage
+    { _damEncodedMessage :: Text
+    } deriving (Eq, Ord, Show, Monoid, IsString)
+
+-- | 'DecodeAuthorizationMessage' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'damEncodedMessage' @::@ 'Text'
+--
+decodeAuthorizationMessage :: Text -- ^ 'damEncodedMessage'
+                           -> DecodeAuthorizationMessage
+decodeAuthorizationMessage p1 = DecodeAuthorizationMessage
+    { _damEncodedMessage = p1
+    }
+
+-- | The encoded message that was returned with the response.
+damEncodedMessage :: Lens' DecodeAuthorizationMessage Text
+damEncodedMessage =
+    lens _damEncodedMessage (\s a -> s { _damEncodedMessage = a })
+
+newtype DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse
+    { _damrDecodedMessage :: Maybe Text
+    } deriving (Eq, Ord, Show, Monoid)
+
+-- | 'DecodeAuthorizationMessageResponse' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'damrDecodedMessage' @::@ 'Maybe' 'Text'
+--
+decodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse
+decodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse
+    { _damrDecodedMessage = Nothing
+    }
+
+-- | An XML document that contains the decoded message. For more information,
+-- see DecodeAuthorizationMessage.
+damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
+damrDecodedMessage =
+    lens _damrDecodedMessage (\s a -> s { _damrDecodedMessage = a })
+
+instance ToPath DecodeAuthorizationMessage where
+    toPath = const "/"
+
+instance ToQuery DecodeAuthorizationMessage where
+    toQuery DecodeAuthorizationMessage{..} = mconcat
+        [ "EncodedMessage" =? _damEncodedMessage
+        ]
+
+instance ToHeaders DecodeAuthorizationMessage
+
+instance AWSRequest DecodeAuthorizationMessage where
+    type Sv DecodeAuthorizationMessage = STS
+    type Rs DecodeAuthorizationMessage = DecodeAuthorizationMessageResponse
+
+    request  = post "DecodeAuthorizationMessage"
+    response = xmlResponse
+
+instance FromXML DecodeAuthorizationMessageResponse where
+    parseXML = withElement "DecodeAuthorizationMessageResult" $ \x -> DecodeAuthorizationMessageResponse
+        <$> x .@? "DecodedMessage"
diff --git a/gen/Network/AWS/STS/GetFederationToken.hs b/gen/Network/AWS/STS/GetFederationToken.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/GetFederationToken.hs
@@ -0,0 +1,229 @@
+{-# LANGUAGE DataKinds                   #-}
+{-# LANGUAGE DeriveGeneric               #-}
+{-# LANGUAGE FlexibleInstances           #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
+{-# LANGUAGE LambdaCase                  #-}
+{-# LANGUAGE NoImplicitPrelude           #-}
+{-# LANGUAGE OverloadedStrings           #-}
+{-# LANGUAGE RecordWildCards             #-}
+{-# LANGUAGE TypeFamilies                #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Network.AWS.STS.GetFederationToken
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+-- | Returns a set of temporary security credentials (consisting of an access
+-- key ID, a secret access key, and a security token) for a federated user. A
+-- typical use is in a proxy application that gets temporary security
+-- credentials on behalf of distributed applications inside a corporate
+-- network. Because you must call the GetFederationToken action using the
+-- long-term security credentials of an IAM user, this call is appropriate in
+-- contexts where those credentials can be safely stored, usually in a
+-- server-based application. Note: Do not use this call in mobile applications
+-- or client-based web applications that directly get temporary security
+-- credentials. For those types of applications, use
+-- AssumeRoleWithWebIdentity. The GetFederationToken action must be called by
+-- using the long-term AWS security credentials of an IAM user. You can also
+-- call GetFederationToken using the security credentials of an AWS account
+-- (root), but this is not recommended. Instead, we recommend that you create
+-- an IAM user for the purpose of the proxy application and then attach a
+-- policy to the IAM user that limits federated users to only the actions and
+-- resources they need access to. For more information, see IAM Best Practices
+-- in Using IAM. The temporary security credentials that are obtained by using
+-- the long-term credentials of an IAM user are valid for the specified
+-- duration, between 900 seconds (15 minutes) and 129600 seconds (36 hours).
+-- Temporary credentials that are obtained by using AWS account (root)
+-- credentials have a maximum duration of 3600 seconds (1 hour) Permissions
+-- The permissions for the temporary security credentials returned by
+-- GetFederationToken are determined by a combination of the following: The
+-- policy or policies that are attached to the IAM user whose credentials are
+-- used to call GetFederationToken. The policy that is passed as a parameter
+-- in the call. The passed policy is attached to the temporary security
+-- credentials that result from the GetFederationToken API call--that is, to
+-- the federated user. When the federated user makes an AWS request, AWS
+-- evaluates the policy attached to the federated user in combination with the
+-- policy or policies attached to the IAM user whose credentials were used to
+-- call GetFederationToken. AWS allows the federated user's request only when
+-- both the federated user and the IAM user are explicitly allowed to perform
+-- the requested action. The passed policy cannot grant more permissions than
+-- those that are defined in the IAM user policy. A typical use case is that
+-- the permissions of the IAM user whose credentials are used to call
+-- GetFederationToken are designed to allow access to all the actions and
+-- resources that any federated user will need. Then, for individual users,
+-- you pass a policy to the operation that scopes down the permissions to a
+-- level that's appropriate to that individual user, using a policy that
+-- allows only a subset of permissions that are granted to the IAM user. If
+-- you do not pass a policy, the resulting temporary security credentials have
+-- no effective permissions. The only exception is when the temporary security
+-- credentials are used to access a resource that has a resource-based policy
+-- that specifically allows the federated user to access the resource. For
+-- more information about how permissions work, see Permissions for
+-- GetFederationToken in Using Temporary Security Credentials. For information
+-- about using GetFederationToken to create temporary security credentials,
+-- see Creating Temporary Credentials to Enable Access for Federated Users in
+-- Using Temporary Security Credentials.
+--
+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html>
+module Network.AWS.STS.GetFederationToken
+    (
+    -- * Request
+      GetFederationToken
+    -- ** Request constructor
+    , getFederationToken
+    -- ** Request lenses
+    , gftDurationSeconds
+    , gftName
+    , gftPolicy
+
+    -- * Response
+    , GetFederationTokenResponse
+    -- ** Response constructor
+    , getFederationTokenResponse
+    -- ** Response lenses
+    , gftrCredentials
+    , gftrFederatedUser
+    , gftrPackedPolicySize
+    ) where
+
+import Network.AWS.Prelude
+import Network.AWS.Request.Query
+import Network.AWS.STS.Types
+import qualified GHC.Exts
+
+data GetFederationToken = GetFederationToken
+    { _gftDurationSeconds :: Maybe Nat
+    , _gftName            :: Text
+    , _gftPolicy          :: Maybe Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'GetFederationToken' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'gftDurationSeconds' @::@ 'Maybe' 'Natural'
+--
+-- * 'gftName' @::@ 'Text'
+--
+-- * 'gftPolicy' @::@ 'Maybe' 'Text'
+--
+getFederationToken :: Text -- ^ 'gftName'
+                   -> GetFederationToken
+getFederationToken p1 = GetFederationToken
+    { _gftName            = p1
+    , _gftPolicy          = Nothing
+    , _gftDurationSeconds = Nothing
+    }
+
+-- | The duration, in seconds, that the session should last. Acceptable
+-- durations for federation sessions range from 900 seconds (15 minutes) to
+-- 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default.
+-- Sessions obtained using AWS account (root) credentials are restricted to
+-- a maximum of 3600 seconds (one hour). If the specified duration is longer
+-- than one hour, the session obtained by using AWS account (root)
+-- credentials defaults to one hour.
+gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural)
+gftDurationSeconds =
+    lens _gftDurationSeconds (\s a -> s { _gftDurationSeconds = a })
+        . mapping _Nat
+
+-- | The name of the federated user. The name is used as an identifier for the
+-- temporary security credentials (such as Bob). For example, you can
+-- reference the federated user name in a resource-based policy, such as in
+-- an Amazon S3 bucket policy.
+gftName :: Lens' GetFederationToken Text
+gftName = lens _gftName (\s a -> s { _gftName = a })
+
+-- | An IAM policy in JSON format that is passed with the GetFederationToken
+-- call and evaluated along with the policy or policies that are attached to
+-- the IAM user whose credentials are used to call GetFederationToken. The
+-- passed policy is used to scope down the permissions that are available to
+-- the IAM user, by allowing only a subset of the permissions that are
+-- granted to the IAM user. The passed policy cannot grant more permissions
+-- than those granted to the IAM user. The final permissions for the
+-- federated user are the most restrictive set based on the intersection of
+-- the passed policy and the IAM user policy. If you do not pass a policy,
+-- the resulting temporary security credentials have no effective
+-- permissions. The only exception is when the temporary security
+-- credentials are used to access a resource that has a resource-based
+-- policy that specifically allows the federated user to access the
+-- resource. For more information about how permissions work, see
+-- Permissions for GetFederationToken in Using Temporary Security
+-- Credentials.
+gftPolicy :: Lens' GetFederationToken (Maybe Text)
+gftPolicy = lens _gftPolicy (\s a -> s { _gftPolicy = a })
+
+data GetFederationTokenResponse = GetFederationTokenResponse
+    { _gftrCredentials      :: Maybe Credentials
+    , _gftrFederatedUser    :: Maybe FederatedUser
+    , _gftrPackedPolicySize :: Maybe Nat
+    } deriving (Eq, Show)
+
+-- | 'GetFederationTokenResponse' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'gftrCredentials' @::@ 'Maybe' 'Credentials'
+--
+-- * 'gftrFederatedUser' @::@ 'Maybe' 'FederatedUser'
+--
+-- * 'gftrPackedPolicySize' @::@ 'Maybe' 'Natural'
+--
+getFederationTokenResponse :: GetFederationTokenResponse
+getFederationTokenResponse = GetFederationTokenResponse
+    { _gftrCredentials      = Nothing
+    , _gftrFederatedUser    = Nothing
+    , _gftrPackedPolicySize = Nothing
+    }
+
+-- | Credentials for the service API authentication.
+gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
+gftrCredentials = lens _gftrCredentials (\s a -> s { _gftrCredentials = a })
+
+-- | Identifiers for the federated user associated with the credentials (such
+-- as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
+-- can use the federated user's ARN in your resource-based policies, such as
+-- an Amazon S3 bucket policy.
+gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
+gftrFederatedUser =
+    lens _gftrFederatedUser (\s a -> s { _gftrFederatedUser = a })
+
+-- | A percentage value indicating the size of the policy in packed form. The
+-- service rejects policies for which the packed size is greater than 100
+-- percent of the allowed value.
+gftrPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)
+gftrPackedPolicySize =
+    lens _gftrPackedPolicySize (\s a -> s { _gftrPackedPolicySize = a })
+        . mapping _Nat
+
+instance ToPath GetFederationToken where
+    toPath = const "/"
+
+instance ToQuery GetFederationToken where
+    toQuery GetFederationToken{..} = mconcat
+        [ "DurationSeconds" =? _gftDurationSeconds
+        , "Name"            =? _gftName
+        , "Policy"          =? _gftPolicy
+        ]
+
+instance ToHeaders GetFederationToken
+
+instance AWSRequest GetFederationToken where
+    type Sv GetFederationToken = STS
+    type Rs GetFederationToken = GetFederationTokenResponse
+
+    request  = post "GetFederationToken"
+    response = xmlResponse
+
+instance FromXML GetFederationTokenResponse where
+    parseXML = withElement "GetFederationTokenResult" $ \x -> GetFederationTokenResponse
+        <$> x .@? "Credentials"
+        <*> x .@? "FederatedUser"
+        <*> x .@? "PackedPolicySize"
diff --git a/gen/Network/AWS/STS/GetSessionToken.hs b/gen/Network/AWS/STS/GetSessionToken.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/GetSessionToken.hs
@@ -0,0 +1,166 @@
+{-# LANGUAGE DataKinds                   #-}
+{-# LANGUAGE DeriveGeneric               #-}
+{-# LANGUAGE FlexibleInstances           #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
+{-# LANGUAGE LambdaCase                  #-}
+{-# LANGUAGE NoImplicitPrelude           #-}
+{-# LANGUAGE OverloadedStrings           #-}
+{-# LANGUAGE RecordWildCards             #-}
+{-# LANGUAGE TypeFamilies                #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Network.AWS.STS.GetSessionToken
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+-- | Returns a set of temporary credentials for an AWS account or IAM user. The
+-- credentials consist of an access key ID, a secret access key, and a
+-- security token. Typically, you use GetSessionToken if you want to use MFA
+-- to protect programmatic calls to specific AWS APIs like Amazon EC2
+-- StopInstances. MFA-enabled IAM users would need to call GetSessionToken and
+-- submit an MFA code that is associated with their MFA device. Using the
+-- temporary security credentials that are returned from the call, IAM users
+-- can then make programmatic calls to APIs that require MFA authentication.
+-- The GetSessionToken action must be called by using the long-term AWS
+-- security credentials of the AWS account or an IAM user. Credentials that
+-- are created by IAM users are valid for the duration that you specify,
+-- between 900 seconds (15 minutes) and 129600 seconds (36 hours); credentials
+-- that are created by using account credentials have a maximum duration of
+-- 3600 seconds (1 hour). The permissions associated with the temporary
+-- security credentials returned by GetSessionToken are based on the
+-- permissions associated with account or IAM user whose credentials are used
+-- to call the action. If GetSessionToken is called using root account
+-- credentials, the temporary credentials have root account permissions.
+-- Similarly, if GetSessionToken is called using the credentials of an IAM
+-- user, the temporary credentials have the same permissions as the IAM user.
+-- For more information about using GetSessionToken to create temporary
+-- credentials, go to Creating Temporary Credentials to Enable Access for IAM
+-- Users in Using Temporary Security Credentials.
+--
+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html>
+module Network.AWS.STS.GetSessionToken
+    (
+    -- * Request
+      GetSessionToken
+    -- ** Request constructor
+    , getSessionToken
+    -- ** Request lenses
+    , gstDurationSeconds
+    , gstSerialNumber
+    , gstTokenCode
+
+    -- * Response
+    , GetSessionTokenResponse
+    -- ** Response constructor
+    , getSessionTokenResponse
+    -- ** Response lenses
+    , gstrCredentials
+    ) where
+
+import Network.AWS.Prelude
+import Network.AWS.Request.Query
+import Network.AWS.STS.Types
+import qualified GHC.Exts
+
+data GetSessionToken = GetSessionToken
+    { _gstDurationSeconds :: Maybe Nat
+    , _gstSerialNumber    :: Maybe Text
+    , _gstTokenCode       :: Maybe Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'GetSessionToken' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'gstDurationSeconds' @::@ 'Maybe' 'Natural'
+--
+-- * 'gstSerialNumber' @::@ 'Maybe' 'Text'
+--
+-- * 'gstTokenCode' @::@ 'Maybe' 'Text'
+--
+getSessionToken :: GetSessionToken
+getSessionToken = GetSessionToken
+    { _gstDurationSeconds = Nothing
+    , _gstSerialNumber    = Nothing
+    , _gstTokenCode       = Nothing
+    }
+
+-- | The duration, in seconds, that the credentials should remain valid.
+-- Acceptable durations for IAM user sessions range from 900 seconds (15
+-- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as
+-- the default. Sessions for AWS account owners are restricted to a maximum
+-- of 3600 seconds (one hour). If the duration is longer than one hour, the
+-- session for AWS account owners defaults to one hour.
+gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)
+gstDurationSeconds =
+    lens _gstDurationSeconds (\s a -> s { _gstDurationSeconds = a })
+        . mapping _Nat
+
+-- | The identification number of the MFA device that is associated with the
+-- IAM user who is making the GetSessionToken call. Specify this value if
+-- the IAM user has a policy that requires MFA authentication. The value is
+-- either the serial number for a hardware device (such as GAHT12345678) or
+-- an Amazon Resource Name (ARN) for a virtual device (such as
+-- arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM
+-- user by going to the AWS Management Console and viewing the user's
+-- security credentials.
+gstSerialNumber :: Lens' GetSessionToken (Maybe Text)
+gstSerialNumber = lens _gstSerialNumber (\s a -> s { _gstSerialNumber = a })
+
+-- | The value provided by the MFA device, if MFA is required. If any policy
+-- requires the IAM user to submit an MFA code, specify this value. If MFA
+-- authentication is required, and the user does not provide a code when
+-- requesting a set of temporary security credentials, the user will receive
+-- an "access denied" response when requesting resources that require MFA
+-- authentication.
+gstTokenCode :: Lens' GetSessionToken (Maybe Text)
+gstTokenCode = lens _gstTokenCode (\s a -> s { _gstTokenCode = a })
+
+newtype GetSessionTokenResponse = GetSessionTokenResponse
+    { _gstrCredentials :: Maybe Credentials
+    } deriving (Eq, Show)
+
+-- | 'GetSessionTokenResponse' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'gstrCredentials' @::@ 'Maybe' 'Credentials'
+--
+getSessionTokenResponse :: GetSessionTokenResponse
+getSessionTokenResponse = GetSessionTokenResponse
+    { _gstrCredentials = Nothing
+    }
+
+-- | The session credentials for API authentication.
+gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
+gstrCredentials = lens _gstrCredentials (\s a -> s { _gstrCredentials = a })
+
+instance ToPath GetSessionToken where
+    toPath = const "/"
+
+instance ToQuery GetSessionToken where
+    toQuery GetSessionToken{..} = mconcat
+        [ "DurationSeconds" =? _gstDurationSeconds
+        , "SerialNumber"    =? _gstSerialNumber
+        , "TokenCode"       =? _gstTokenCode
+        ]
+
+instance ToHeaders GetSessionToken
+
+instance AWSRequest GetSessionToken where
+    type Sv GetSessionToken = STS
+    type Rs GetSessionToken = GetSessionTokenResponse
+
+    request  = post "GetSessionToken"
+    response = xmlResponse
+
+instance FromXML GetSessionTokenResponse where
+    parseXML = withElement "GetSessionTokenResult" $ \x -> GetSessionTokenResponse
+        <$> x .@? "Credentials"
diff --git a/gen/Network/AWS/STS/Types.hs b/gen/Network/AWS/STS/Types.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/STS/Types.hs
@@ -0,0 +1,228 @@
+{-# LANGUAGE DataKinds                   #-}
+{-# LANGUAGE DeriveGeneric               #-}
+{-# LANGUAGE FlexibleInstances           #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}
+{-# LANGUAGE LambdaCase                  #-}
+{-# LANGUAGE NoImplicitPrelude           #-}
+{-# LANGUAGE OverloadedStrings           #-}
+{-# LANGUAGE RecordWildCards             #-}
+{-# LANGUAGE TypeFamilies                #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Module      : Network.AWS.STS.Types
+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>
+-- License     : This Source Code Form is subject to the terms of
+--               the Mozilla Public License, v. 2.0.
+--               A copy of the MPL can be found in the LICENSE file or
+--               you can obtain it at http://mozilla.org/MPL/2.0/.
+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
+-- Stability   : experimental
+-- Portability : non-portable (GHC extensions)
+
+module Network.AWS.STS.Types
+    (
+    -- * Service
+      STS
+    -- ** Error
+    , RESTError
+    -- ** XML
+    , ns
+
+    -- * Credentials
+    , Credentials
+    , credentials
+    , cAccessKeyId
+    , cExpiration
+    , cSecretAccessKey
+    , cSessionToken
+
+    -- * FederatedUser
+    , FederatedUser
+    , federatedUser
+    , fuArn
+    , fuFederatedUserId
+
+    -- * AssumedRoleUser
+    , AssumedRoleUser
+    , assumedRoleUser
+    , aruArn
+    , aruAssumedRoleId
+    ) where
+
+import Network.AWS.Error
+import Network.AWS.Prelude
+import Network.AWS.Signing.V4
+import qualified GHC.Exts
+
+-- | Version @2011-06-15@ of the Amazon Security Token Service service.
+data STS
+
+instance AWSService STS where
+    type Sg STS = V4
+    type Er STS = RESTError
+
+    service = Service
+        { _svcEndpoint     = global
+        , _svcAbbrev       = "STS"
+        , _svcPrefix       = "sts"
+        , _svcVersion      = "2011-06-15"
+        , _svcTargetPrefix = Nothing
+        , _svcJSONVersion  = Nothing
+        }
+
+    handle = restError statusSuccess
+
+ns :: Text
+ns = "https://sts.amazonaws.com/doc/2011-06-15/"
+
+data Credentials = Credentials
+    { _cAccessKeyId     :: Text
+    , _cExpiration      :: RFC822
+    , _cSecretAccessKey :: Text
+    , _cSessionToken    :: Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'Credentials' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'cAccessKeyId' @::@ 'Text'
+--
+-- * 'cExpiration' @::@ 'UTCTime'
+--
+-- * 'cSecretAccessKey' @::@ 'Text'
+--
+-- * 'cSessionToken' @::@ 'Text'
+--
+credentials :: Text -- ^ 'cAccessKeyId'
+            -> Text -- ^ 'cSecretAccessKey'
+            -> Text -- ^ 'cSessionToken'
+            -> UTCTime -- ^ 'cExpiration'
+            -> Credentials
+credentials p1 p2 p3 p4 = Credentials
+    { _cAccessKeyId     = p1
+    , _cSecretAccessKey = p2
+    , _cSessionToken    = p3
+    , _cExpiration      = withIso _Time (const id) p4
+    }
+
+-- | The access key ID that identifies the temporary security credentials.
+cAccessKeyId :: Lens' Credentials Text
+cAccessKeyId = lens _cAccessKeyId (\s a -> s { _cAccessKeyId = a })
+
+-- | The date on which the current credentials expire.
+cExpiration :: Lens' Credentials UTCTime
+cExpiration = lens _cExpiration (\s a -> s { _cExpiration = a }) . _Time
+
+-- | The secret access key that can be used to sign requests.
+cSecretAccessKey :: Lens' Credentials Text
+cSecretAccessKey = lens _cSecretAccessKey (\s a -> s { _cSecretAccessKey = a })
+
+-- | The token that users must pass to the service API to use the temporary
+-- credentials.
+cSessionToken :: Lens' Credentials Text
+cSessionToken = lens _cSessionToken (\s a -> s { _cSessionToken = a })
+
+instance FromXML Credentials where
+    parseXML x = Credentials
+        <$> x .@  "AccessKeyId"
+        <*> x .@  "Expiration"
+        <*> x .@  "SecretAccessKey"
+        <*> x .@  "SessionToken"
+
+instance ToQuery Credentials where
+    toQuery Credentials{..} = mconcat
+        [ "AccessKeyId"     =? _cAccessKeyId
+        , "Expiration"      =? _cExpiration
+        , "SecretAccessKey" =? _cSecretAccessKey
+        , "SessionToken"    =? _cSessionToken
+        ]
+
+data FederatedUser = FederatedUser
+    { _fuArn             :: Text
+    , _fuFederatedUserId :: Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'FederatedUser' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'fuArn' @::@ 'Text'
+--
+-- * 'fuFederatedUserId' @::@ 'Text'
+--
+federatedUser :: Text -- ^ 'fuFederatedUserId'
+              -> Text -- ^ 'fuArn'
+              -> FederatedUser
+federatedUser p1 p2 = FederatedUser
+    { _fuFederatedUserId = p1
+    , _fuArn             = p2
+    }
+
+-- | The ARN that specifies the federated user that is associated with the
+-- credentials. For more information about ARNs and how to use them in
+-- policies, see Identifiers for IAM Entities in Using IAM.
+fuArn :: Lens' FederatedUser Text
+fuArn = lens _fuArn (\s a -> s { _fuArn = a })
+
+-- | The string that identifies the federated user associated with the
+-- credentials, similar to the unique ID of an IAM user.
+fuFederatedUserId :: Lens' FederatedUser Text
+fuFederatedUserId =
+    lens _fuFederatedUserId (\s a -> s { _fuFederatedUserId = a })
+
+instance FromXML FederatedUser where
+    parseXML x = FederatedUser
+        <$> x .@  "Arn"
+        <*> x .@  "FederatedUserId"
+
+instance ToQuery FederatedUser where
+    toQuery FederatedUser{..} = mconcat
+        [ "Arn"             =? _fuArn
+        , "FederatedUserId" =? _fuFederatedUserId
+        ]
+
+data AssumedRoleUser = AssumedRoleUser
+    { _aruArn           :: Text
+    , _aruAssumedRoleId :: Text
+    } deriving (Eq, Ord, Show)
+
+-- | 'AssumedRoleUser' constructor.
+--
+-- The fields accessible through corresponding lenses are:
+--
+-- * 'aruArn' @::@ 'Text'
+--
+-- * 'aruAssumedRoleId' @::@ 'Text'
+--
+assumedRoleUser :: Text -- ^ 'aruAssumedRoleId'
+                -> Text -- ^ 'aruArn'
+                -> AssumedRoleUser
+assumedRoleUser p1 p2 = AssumedRoleUser
+    { _aruAssumedRoleId = p1
+    , _aruArn           = p2
+    }
+
+-- | The ARN of the temporary security credentials that are returned from the
+-- AssumeRole action. For more information about ARNs and how to use them in
+-- policies, see Identifiers for IAM Entities in Using IAM.
+aruArn :: Lens' AssumedRoleUser Text
+aruArn = lens _aruArn (\s a -> s { _aruArn = a })
+
+-- | A unique identifier that contains the role ID and the role session name
+-- of the role that is being assumed. The role ID is generated by AWS when
+-- the role is created.
+aruAssumedRoleId :: Lens' AssumedRoleUser Text
+aruAssumedRoleId = lens _aruAssumedRoleId (\s a -> s { _aruAssumedRoleId = a })
+
+instance FromXML AssumedRoleUser where
+    parseXML x = AssumedRoleUser
+        <$> x .@  "Arn"
+        <*> x .@  "AssumedRoleId"
+
+instance ToQuery AssumedRoleUser where
+    toQuery AssumedRoleUser{..} = mconcat
+        [ "Arn"           =? _aruArn
+        , "AssumedRoleId" =? _aruAssumedRoleId
+        ]
