Update aws-sdk-go

The most relevant of the changes is tagging support for more IAM entities including OIDC providers
2021-02-15 14:45:28 -06:00 · 2021-02-15 14:45:28 -06:00 · 765a912bbb
parent 6169508aa8
commit 765a912bbb
18 changed files with 5857 additions and 841 deletions
--- a/go.mod
+++ b/go.mod
@ -59,7 +59,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.1.0
 	github.com/aliyun/alibaba-cloud-sdk-go v1.61.264
 	github.com/aws/amazon-ec2-instance-selector/v2 v2.0.1
-	github.com/aws/aws-sdk-go v1.37.0
+	github.com/aws/aws-sdk-go v1.37.11
 	github.com/blang/semver/v4 v4.0.0
 	github.com/chai2010/gettext-go v0.0.0-20170215093142-bf70f2a70fb1 // indirect
 	github.com/denverdino/aliyungo v0.0.0-20191128015008-acd8035bbb1d
--- a/go.sum
+++ b/go.sum
@ -163,8 +163,8 @@ github.com/aws/aws-sdk-go v1.28.2/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go v1.31.12/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go v1.34.30/go.mod h1:H7NKnBqNVzoTJpGfLrQkkD+ytBA93eiDYi/+8rV9s48=
 github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k=
-github.com/aws/aws-sdk-go v1.37.0 h1:GzFnhOIsrGyQ69s7VgqtrG2BG8v7X7vwB3Xpbd/DBBk=
-github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
+github.com/aws/aws-sdk-go v1.37.11 h1:W1gUQxt6jmiUsk2jkTVAlYsd3Sg8bNL2VDcWjrXmD+0=
+github.com/aws/aws-sdk-go v1.37.11/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/beorn7/perks v0.0.0-20160804104726-4c0e84591b9a/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
--- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go
@ -358,6 +358,22 @@ var awsPartition = partition{
 				"us-west-2":      endpoint{},
 			},
 		},
+		"amplifybackend": service{
+
+			Endpoints: endpoints{
+				"ap-northeast-2": endpoint{},
+				"ap-south-1":     endpoint{},
+				"ap-southeast-1": endpoint{},
+				"ap-southeast-2": endpoint{},
+				"eu-central-1":   endpoint{},
+				"eu-south-1":     endpoint{},
+				"eu-west-1":      endpoint{},
+				"eu-west-2":      endpoint{},
+				"us-east-1":      endpoint{},
+				"us-east-2":      endpoint{},
+				"us-west-2":      endpoint{},
+			},
+		},
 		"api.detective": service{
 			Defaults: endpoint{
 				Protocols: []string{"https"},
@ -1583,6 +1599,12 @@ var awsPartition = partition{
 						Region: "us-east-2",
 					},
 				},
+				"fips-us-west-1": endpoint{
+					Hostname: "cognito-idp-fips.us-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-west-1",
+					},
+				},
 				"fips-us-west-2": endpoint{
 					Hostname: "cognito-idp-fips.us-west-2.amazonaws.com",
 					CredentialScope: credentialScope{
@ -7449,6 +7471,16 @@ var awscnPartition = partition{
 				"cn-north-1": endpoint{},
 			},
 		},
+		"guardduty": service{
+			IsRegionalized: boxedTrue,
+			Defaults: endpoint{
+				Protocols: []string{"https"},
+			},
+			Endpoints: endpoints{
+				"cn-north-1":     endpoint{},
+				"cn-northwest-1": endpoint{},
+			},
+		},
 		"health": service{

 			Endpoints: endpoints{
@ -8323,6 +8355,12 @@ var awsusgovPartition = partition{
 				"us-gov-west-1": endpoint{},
 			},
 		},
+		"connect": service{
+
+			Endpoints: endpoints{
+				"us-gov-west-1": endpoint{},
+			},
+		},
 		"datasync": service{

 			Endpoints: endpoints{
@ -8964,6 +9002,22 @@ var awsusgovPartition = partition{
 				"us-gov-west-1": endpoint{},
 			},
 		},
+		"models.lex": service{
+			Defaults: endpoint{
+				CredentialScope: credentialScope{
+					Service: "lex",
+				},
+			},
+			Endpoints: endpoints{
+				"us-gov-west-1": endpoint{},
+				"us-gov-west-1-fips": endpoint{
+					Hostname: "models-fips.lex.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+				},
+			},
+		},
 		"monitoring": service{

 			Endpoints: endpoints{
@ -9169,10 +9223,32 @@ var awsusgovPartition = partition{
 				"us-gov-west-1": endpoint{},
 			},
 		},
+		"runtime.lex": service{
+			Defaults: endpoint{
+				CredentialScope: credentialScope{
+					Service: "lex",
+				},
+			},
+			Endpoints: endpoints{
+				"us-gov-west-1": endpoint{},
+				"us-gov-west-1-fips": endpoint{
+					Hostname: "runtime-fips.lex.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+				},
+			},
+		},
 		"runtime.sagemaker": service{

 			Endpoints: endpoints{
 				"us-gov-west-1": endpoint{},
+				"us-gov-west-1-fips": endpoint{
+					Hostname: "runtime.sagemaker.us-gov-west-1.amazonaws.com",
+					CredentialScope: credentialScope{
+						Region: "us-gov-west-1",
+					},
+				},
 			},
 		},
 		"s3": service{
@ -9892,12 +9968,30 @@ var awsisoPartition = partition{
 				"us-iso-east-1": endpoint{},
 			},
 		},
+		"medialive": service{
+
+			Endpoints: endpoints{
+				"us-iso-east-1": endpoint{},
+			},
+		},
+		"mediapackage": service{
+
+			Endpoints: endpoints{
+				"us-iso-east-1": endpoint{},
+			},
+		},
 		"monitoring": service{

 			Endpoints: endpoints{
 				"us-iso-east-1": endpoint{},
 			},
 		},
+		"outposts": service{
+
+			Endpoints: endpoints{
+				"us-iso-east-1": endpoint{},
+			},
+		},
 		"rds": service{

 			Endpoints: endpoints{
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go
@ -102,7 +102,7 @@ func resolveCredsFromProfile(cfg *aws.Config,
 		)

 	case sharedCfg.hasSSOConfiguration():
-		creds = resolveSSOCredentials(cfg, sharedCfg, handlers)
+		creds, err = resolveSSOCredentials(cfg, sharedCfg, handlers)

 	case len(sharedCfg.CredentialProcess) != 0:
 		// Get credentials from CredentialProcess
@ -155,7 +155,11 @@ func resolveCredsFromProfile(cfg *aws.Config,
 	return creds, nil
 }

-func resolveSSOCredentials(cfg *aws.Config, sharedCfg sharedConfig, handlers request.Handlers) *credentials.Credentials {
+func resolveSSOCredentials(cfg *aws.Config, sharedCfg sharedConfig, handlers request.Handlers) (*credentials.Credentials, error) {
+	if err := sharedCfg.validateSSOConfiguration(); err != nil {
+		return nil, err
+	}
+
 	cfgCopy := cfg.Copy()
 	cfgCopy.Region = &sharedCfg.SSORegion

@ -167,7 +171,7 @@ func resolveSSOCredentials(cfg *aws.Config, sharedCfg sharedConfig, handlers req
 		sharedCfg.SSOAccountID,
 		sharedCfg.SSORoleName,
 		sharedCfg.SSOStartURL,
-	)
+	), nil
 }

 // valid credential source values
--- a/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go
@ -70,6 +70,8 @@ const (

 // sharedConfig represents the configuration fields of the SDK config files.
 type sharedConfig struct {
+	Profile string
+
 	// Credentials values from the config file. Both aws_access_key_id and
 	// aws_secret_access_key must be provided together in the same file to be
 	// considered valid. The values will be ignored if not a complete group.
@ -201,6 +203,8 @@ func loadSharedConfigIniFiles(filenames []string) ([]sharedConfigFile, error) {
 }

 func (cfg *sharedConfig) setFromIniFiles(profiles map[string]struct{}, profile string, files []sharedConfigFile, exOpts bool) error {
+	cfg.Profile = profile
+
 	// Trim files from the list that don't exist.
 	var skippedFiles int
 	var profileNotFoundErr error
@ -365,10 +369,6 @@ func (cfg *sharedConfig) validateCredentialsConfig(profile string) error {
 		return err
 	}

-	if err := cfg.validateSSOConfiguration(profile); err != nil {
-		return err
-	}
-
 	return nil
 }

@ -409,7 +409,7 @@ func (cfg *sharedConfig) validateCredentialType() error {
 	return nil
 }

-func (cfg *sharedConfig) validateSSOConfiguration(profile string) error {
+func (cfg *sharedConfig) validateSSOConfiguration() error {
 	if !cfg.hasSSOConfiguration() {
 		return nil
 	}
@ -433,7 +433,7 @@ func (cfg *sharedConfig) validateSSOConfiguration(profile string) error {

 	if len(missing) > 0 {
 		return fmt.Errorf("profile %q is configured to use SSO but is missing required configuration: %s",
-			profile, strings.Join(missing, ", "))
+			cfg.Profile, strings.Join(missing, ", "))
 	}

 	return nil
--- a/vendor/github.com/aws/aws-sdk-go/aws/version.go
+++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go
@ -5,4 +5,4 @@ package aws
 const SDKName = "aws-sdk-go"

 // SDKVersion is the version of this SDK
-const SDKVersion = "1.37.0"
+const SDKVersion = "1.37.11"
--- a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/ec2/ec2iface/interface.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/ec2iface/interface.go
@ -712,6 +712,13 @@ type EC2API interface {
 	DescribeAddressesWithContext(aws.Context, *ec2.DescribeAddressesInput, ...request.Option) (*ec2.DescribeAddressesOutput, error)
 	DescribeAddressesRequest(*ec2.DescribeAddressesInput) (*request.Request, *ec2.DescribeAddressesOutput)

+	DescribeAddressesAttribute(*ec2.DescribeAddressesAttributeInput) (*ec2.DescribeAddressesAttributeOutput, error)
+	DescribeAddressesAttributeWithContext(aws.Context, *ec2.DescribeAddressesAttributeInput, ...request.Option) (*ec2.DescribeAddressesAttributeOutput, error)
+	DescribeAddressesAttributeRequest(*ec2.DescribeAddressesAttributeInput) (*request.Request, *ec2.DescribeAddressesAttributeOutput)
+
+	DescribeAddressesAttributePages(*ec2.DescribeAddressesAttributeInput, func(*ec2.DescribeAddressesAttributeOutput, bool) bool) error
+	DescribeAddressesAttributePagesWithContext(aws.Context, *ec2.DescribeAddressesAttributeInput, func(*ec2.DescribeAddressesAttributeOutput, bool) bool, ...request.Option) error
+
 	DescribeAggregateIdFormat(*ec2.DescribeAggregateIdFormatInput) (*ec2.DescribeAggregateIdFormatOutput, error)
 	DescribeAggregateIdFormatWithContext(aws.Context, *ec2.DescribeAggregateIdFormatInput, ...request.Option) (*ec2.DescribeAggregateIdFormatOutput, error)
 	DescribeAggregateIdFormatRequest(*ec2.DescribeAggregateIdFormatInput) (*request.Request, *ec2.DescribeAggregateIdFormatOutput)
@ -1691,6 +1698,10 @@ type EC2API interface {
 	ImportVolumeWithContext(aws.Context, *ec2.ImportVolumeInput, ...request.Option) (*ec2.ImportVolumeOutput, error)
 	ImportVolumeRequest(*ec2.ImportVolumeInput) (*request.Request, *ec2.ImportVolumeOutput)

+	ModifyAddressAttribute(*ec2.ModifyAddressAttributeInput) (*ec2.ModifyAddressAttributeOutput, error)
+	ModifyAddressAttributeWithContext(aws.Context, *ec2.ModifyAddressAttributeInput, ...request.Option) (*ec2.ModifyAddressAttributeOutput, error)
+	ModifyAddressAttributeRequest(*ec2.ModifyAddressAttributeInput) (*request.Request, *ec2.ModifyAddressAttributeOutput)
+
 	ModifyAvailabilityZoneGroup(*ec2.ModifyAvailabilityZoneGroupInput) (*ec2.ModifyAvailabilityZoneGroupOutput, error)
 	ModifyAvailabilityZoneGroupWithContext(aws.Context, *ec2.ModifyAvailabilityZoneGroupInput, ...request.Option) (*ec2.ModifyAvailabilityZoneGroupOutput, error)
 	ModifyAvailabilityZoneGroupRequest(*ec2.ModifyAvailabilityZoneGroupInput) (*request.Request, *ec2.ModifyAvailabilityZoneGroupOutput)
@ -1971,6 +1982,10 @@ type EC2API interface {
 	RequestSpotInstancesWithContext(aws.Context, *ec2.RequestSpotInstancesInput, ...request.Option) (*ec2.RequestSpotInstancesOutput, error)
 	RequestSpotInstancesRequest(*ec2.RequestSpotInstancesInput) (*request.Request, *ec2.RequestSpotInstancesOutput)

+	ResetAddressAttribute(*ec2.ResetAddressAttributeInput) (*ec2.ResetAddressAttributeOutput, error)
+	ResetAddressAttributeWithContext(aws.Context, *ec2.ResetAddressAttributeInput, ...request.Option) (*ec2.ResetAddressAttributeOutput, error)
+	ResetAddressAttributeRequest(*ec2.ResetAddressAttributeInput) (*request.Request, *ec2.ResetAddressAttributeOutput)
+
 	ResetEbsDefaultKmsKeyId(*ec2.ResetEbsDefaultKmsKeyIdInput) (*ec2.ResetEbsDefaultKmsKeyIdOutput, error)
 	ResetEbsDefaultKmsKeyIdWithContext(aws.Context, *ec2.ResetEbsDefaultKmsKeyIdInput, ...request.Option) (*ec2.ResetEbsDefaultKmsKeyIdOutput, error)
 	ResetEbsDefaultKmsKeyIdRequest(*ec2.ResetEbsDefaultKmsKeyIdInput) (*request.Request, *ec2.ResetEbsDefaultKmsKeyIdOutput)
--- a/vendor/github.com/aws/aws-sdk-go/service/elbv2/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/elbv2/api.go
@ -245,7 +245,7 @@ func (c *ELBV2) CreateListenerRequest(input *CreateListenerInput) (req *request.
 // CreateListener API operation for Elastic Load Balancing.
 //
 // Creates a listener for the specified Application Load Balancer, Network Load
-// Balancer. or Gateway Load Balancer.
+// Balancer, or Gateway Load Balancer.
 //
 // For more information, see the following:
 //
@ -4672,10 +4672,10 @@ type CreateTargetGroupInput struct {
 	HealthCheckEnabled *bool `type:"boolean"`

 	// The approximate amount of time, in seconds, between health checks of an individual
-	// target. For TCP health checks, the supported values are 10 and 30 seconds.
-	// If the target type is instance or ip, the default is 30 seconds. If the target
-	// group protocol is GENEVE, the default is 10 seconds. If the target type is
-	// lambda, the default is 35 seconds.
+	// target. If the target group protocol is TCP, TLS, UDP, or TCP_UDP, the supported
+	// values are 10 and 30 seconds. If the target group protocol is HTTP or HTTPS,
+	// the default is 30 seconds. If the target group protocol is GENEVE, the default
+	// is 10 seconds. If the target type is lambda, the default is 35 seconds.
 	HealthCheckIntervalSeconds *int64 `min:"5" type:"integer"`

 	// [HTTP/HTTPS health checks] The destination for health checks on the targets.
@ -6804,7 +6804,9 @@ type LoadBalancerState struct {

 	// The state code. The initial state of the load balancer is provisioning. After
 	// the load balancer is fully set up and ready to route traffic, its state is
-	// active. If the load balancer could not be set up, its state is failed.
+	// active. If load balancer is routing traffic but does not have the resources
+	// it needs to scale, its state isactive_impaired. If the load balancer could
+	// not be set up, its state is failed.
 	Code *string `type:"string" enum:"LoadBalancerStateEnum"`

 	// A description of the state.
@ -8963,8 +8965,8 @@ type TargetGroupAttribute struct {
 	//    The value is true or false. The default is false.
 	//
 	//    * stickiness.type - The type of sticky sessions. The possible values are
-	//    lb_cookie for Application Load Balancers or source_ip for Network Load
-	//    Balancers.
+	//    lb_cookie and app_cookie for Application Load Balancers or source_ip for
+	//    Network Load Balancers.
 	//
 	// The following attributes are supported only if the load balancer is an Application
 	// Load Balancer and the target is an instance or an IP address:
@ -8979,6 +8981,16 @@ type TargetGroupAttribute struct {
 	//    its full share of traffic. The range is 30-900 seconds (15 minutes). The
 	//    default is 0 seconds (disabled).
 	//
+	//    * stickiness.app_cookie.cookie_name - Indicates the name of the application-based
+	//    cookie. Names that start with the following names are not allowed: AWSALB,
+	//    AWSALBAPP, and AWSALBTG. They're reserved for use by the load balancer.
+	//
+	//    * stickiness.app_cookie.duration_seconds - The time period, in seconds,
+	//    during which requests from a client should be routed to the same target.
+	//    After this time period expires, the application-based cookie is considered
+	//    stale. The range is 1 second to 1 week (604800 seconds). The default value
+	//    is 1 day (86400 seconds).
+	//
 	//    * stickiness.lb_cookie.duration_seconds - The time period, in seconds,
 	//    during which requests from a client should be routed to the same target.
 	//    After this time period expires, the load balancer-generated cookie is
@ -9001,6 +9013,12 @@ type TargetGroupAttribute struct {
 	//    the load balancer terminates connections at the end of the deregistration
 	//    timeout. The value is true or false. The default is false.
 	//
+	//    * preserve_client_ip.enabled - Indicates whether client IP preservation
+	//    is enabled. The value is true or false. The default is disabled if the
+	//    target group type is IP address and the target group protocol is TCP or
+	//    TLS. Otherwise, the default is enabled. Client IP preservation cannot
+	//    be disabled for UDP and TCP_UDP target groups.
+	//
 	//    * proxy_protocol_v2.enabled - Indicates whether Proxy Protocol version
 	//    2 is enabled. The value is true or false. The default is false.
 	Key *string `type:"string"`
--- a/vendor/github.com/aws/aws-sdk-go/service/iam/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/iam/api.go
--- a/vendor/github.com/aws/aws-sdk-go/service/iam/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/iam/errors.go
@ -17,7 +17,7 @@ const (
 	//
 	// The request was rejected because the most recent credential report has expired.
 	// To generate a new credential report, use GenerateCredentialReport. For more
-	// information about credential report expiration, see Getting Credential Reports
+	// information about credential report expiration, see Getting credential reports
 	// (https://docs.aws.amazon.com/IAM/latest/UserGuide/credential-reports.html)
 	// in the IAM User Guide.
 	ErrCodeCredentialReportExpiredException = "ReportExpired"
@ -117,8 +117,7 @@ const (
 	// "LimitExceeded".
 	//
 	// The request was rejected because it attempted to create resources beyond
-	// the current AWS account limitations. The error message describes the limit
-	// exceeded.
+	// the current AWS account limits. The error message describes the limit exceeded.
 	ErrCodeLimitExceededException = "LimitExceeded"

 	// ErrCodeMalformedCertificateException for service response error code
--- a/vendor/github.com/aws/aws-sdk-go/service/iam/iamiface/interface.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/iam/iamiface/interface.go
@ -437,6 +437,10 @@ type IAMAPI interface {
 	ListGroupsForUserPages(*iam.ListGroupsForUserInput, func(*iam.ListGroupsForUserOutput, bool) bool) error
 	ListGroupsForUserPagesWithContext(aws.Context, *iam.ListGroupsForUserInput, func(*iam.ListGroupsForUserOutput, bool) bool, ...request.Option) error

+	ListInstanceProfileTags(*iam.ListInstanceProfileTagsInput) (*iam.ListInstanceProfileTagsOutput, error)
+	ListInstanceProfileTagsWithContext(aws.Context, *iam.ListInstanceProfileTagsInput, ...request.Option) (*iam.ListInstanceProfileTagsOutput, error)
+	ListInstanceProfileTagsRequest(*iam.ListInstanceProfileTagsInput) (*request.Request, *iam.ListInstanceProfileTagsOutput)
+
 	ListInstanceProfiles(*iam.ListInstanceProfilesInput) (*iam.ListInstanceProfilesOutput, error)
 	ListInstanceProfilesWithContext(aws.Context, *iam.ListInstanceProfilesInput, ...request.Option) (*iam.ListInstanceProfilesOutput, error)
 	ListInstanceProfilesRequest(*iam.ListInstanceProfilesInput) (*request.Request, *iam.ListInstanceProfilesOutput)
@ -451,6 +455,10 @@ type IAMAPI interface {
 	ListInstanceProfilesForRolePages(*iam.ListInstanceProfilesForRoleInput, func(*iam.ListInstanceProfilesForRoleOutput, bool) bool) error
 	ListInstanceProfilesForRolePagesWithContext(aws.Context, *iam.ListInstanceProfilesForRoleInput, func(*iam.ListInstanceProfilesForRoleOutput, bool) bool, ...request.Option) error

+	ListMFADeviceTags(*iam.ListMFADeviceTagsInput) (*iam.ListMFADeviceTagsOutput, error)
+	ListMFADeviceTagsWithContext(aws.Context, *iam.ListMFADeviceTagsInput, ...request.Option) (*iam.ListMFADeviceTagsOutput, error)
+	ListMFADeviceTagsRequest(*iam.ListMFADeviceTagsInput) (*request.Request, *iam.ListMFADeviceTagsOutput)
+
 	ListMFADevices(*iam.ListMFADevicesInput) (*iam.ListMFADevicesOutput, error)
 	ListMFADevicesWithContext(aws.Context, *iam.ListMFADevicesInput, ...request.Option) (*iam.ListMFADevicesOutput, error)
 	ListMFADevicesRequest(*iam.ListMFADevicesInput) (*request.Request, *iam.ListMFADevicesOutput)
@ -458,6 +466,10 @@ type IAMAPI interface {
 	ListMFADevicesPages(*iam.ListMFADevicesInput, func(*iam.ListMFADevicesOutput, bool) bool) error
 	ListMFADevicesPagesWithContext(aws.Context, *iam.ListMFADevicesInput, func(*iam.ListMFADevicesOutput, bool) bool, ...request.Option) error

+	ListOpenIDConnectProviderTags(*iam.ListOpenIDConnectProviderTagsInput) (*iam.ListOpenIDConnectProviderTagsOutput, error)
+	ListOpenIDConnectProviderTagsWithContext(aws.Context, *iam.ListOpenIDConnectProviderTagsInput, ...request.Option) (*iam.ListOpenIDConnectProviderTagsOutput, error)
+	ListOpenIDConnectProviderTagsRequest(*iam.ListOpenIDConnectProviderTagsInput) (*request.Request, *iam.ListOpenIDConnectProviderTagsOutput)
+
 	ListOpenIDConnectProviders(*iam.ListOpenIDConnectProvidersInput) (*iam.ListOpenIDConnectProvidersOutput, error)
 	ListOpenIDConnectProvidersWithContext(aws.Context, *iam.ListOpenIDConnectProvidersInput, ...request.Option) (*iam.ListOpenIDConnectProvidersOutput, error)
 	ListOpenIDConnectProvidersRequest(*iam.ListOpenIDConnectProvidersInput) (*request.Request, *iam.ListOpenIDConnectProvidersOutput)
@ -473,6 +485,10 @@ type IAMAPI interface {
 	ListPoliciesGrantingServiceAccessWithContext(aws.Context, *iam.ListPoliciesGrantingServiceAccessInput, ...request.Option) (*iam.ListPoliciesGrantingServiceAccessOutput, error)
 	ListPoliciesGrantingServiceAccessRequest(*iam.ListPoliciesGrantingServiceAccessInput) (*request.Request, *iam.ListPoliciesGrantingServiceAccessOutput)

+	ListPolicyTags(*iam.ListPolicyTagsInput) (*iam.ListPolicyTagsOutput, error)
+	ListPolicyTagsWithContext(aws.Context, *iam.ListPolicyTagsInput, ...request.Option) (*iam.ListPolicyTagsOutput, error)
+	ListPolicyTagsRequest(*iam.ListPolicyTagsInput) (*request.Request, *iam.ListPolicyTagsOutput)
+
 	ListPolicyVersions(*iam.ListPolicyVersionsInput) (*iam.ListPolicyVersionsOutput, error)
 	ListPolicyVersionsWithContext(aws.Context, *iam.ListPolicyVersionsInput, ...request.Option) (*iam.ListPolicyVersionsOutput, error)
 	ListPolicyVersionsRequest(*iam.ListPolicyVersionsInput) (*request.Request, *iam.ListPolicyVersionsOutput)
@ -498,6 +514,10 @@ type IAMAPI interface {
 	ListRolesPages(*iam.ListRolesInput, func(*iam.ListRolesOutput, bool) bool) error
 	ListRolesPagesWithContext(aws.Context, *iam.ListRolesInput, func(*iam.ListRolesOutput, bool) bool, ...request.Option) error

+	ListSAMLProviderTags(*iam.ListSAMLProviderTagsInput) (*iam.ListSAMLProviderTagsOutput, error)
+	ListSAMLProviderTagsWithContext(aws.Context, *iam.ListSAMLProviderTagsInput, ...request.Option) (*iam.ListSAMLProviderTagsOutput, error)
+	ListSAMLProviderTagsRequest(*iam.ListSAMLProviderTagsInput) (*request.Request, *iam.ListSAMLProviderTagsOutput)
+
 	ListSAMLProviders(*iam.ListSAMLProvidersInput) (*iam.ListSAMLProvidersOutput, error)
 	ListSAMLProvidersWithContext(aws.Context, *iam.ListSAMLProvidersInput, ...request.Option) (*iam.ListSAMLProvidersOutput, error)
 	ListSAMLProvidersRequest(*iam.ListSAMLProvidersInput) (*request.Request, *iam.ListSAMLProvidersOutput)
@ -509,6 +529,10 @@ type IAMAPI interface {
 	ListSSHPublicKeysPages(*iam.ListSSHPublicKeysInput, func(*iam.ListSSHPublicKeysOutput, bool) bool) error
 	ListSSHPublicKeysPagesWithContext(aws.Context, *iam.ListSSHPublicKeysInput, func(*iam.ListSSHPublicKeysOutput, bool) bool, ...request.Option) error

+	ListServerCertificateTags(*iam.ListServerCertificateTagsInput) (*iam.ListServerCertificateTagsOutput, error)
+	ListServerCertificateTagsWithContext(aws.Context, *iam.ListServerCertificateTagsInput, ...request.Option) (*iam.ListServerCertificateTagsOutput, error)
+	ListServerCertificateTagsRequest(*iam.ListServerCertificateTagsInput) (*request.Request, *iam.ListServerCertificateTagsOutput)
+
 	ListServerCertificates(*iam.ListServerCertificatesInput) (*iam.ListServerCertificatesOutput, error)
 	ListServerCertificatesWithContext(aws.Context, *iam.ListServerCertificatesInput, ...request.Option) (*iam.ListServerCertificatesOutput, error)
 	ListServerCertificatesRequest(*iam.ListServerCertificatesInput) (*request.Request, *iam.ListServerCertificatesOutput)
@ -614,18 +638,66 @@ type IAMAPI interface {
 	SimulatePrincipalPolicyPages(*iam.SimulatePrincipalPolicyInput, func(*iam.SimulatePolicyResponse, bool) bool) error
 	SimulatePrincipalPolicyPagesWithContext(aws.Context, *iam.SimulatePrincipalPolicyInput, func(*iam.SimulatePolicyResponse, bool) bool, ...request.Option) error

+	TagInstanceProfile(*iam.TagInstanceProfileInput) (*iam.TagInstanceProfileOutput, error)
+	TagInstanceProfileWithContext(aws.Context, *iam.TagInstanceProfileInput, ...request.Option) (*iam.TagInstanceProfileOutput, error)
+	TagInstanceProfileRequest(*iam.TagInstanceProfileInput) (*request.Request, *iam.TagInstanceProfileOutput)
+
+	TagMFADevice(*iam.TagMFADeviceInput) (*iam.TagMFADeviceOutput, error)
+	TagMFADeviceWithContext(aws.Context, *iam.TagMFADeviceInput, ...request.Option) (*iam.TagMFADeviceOutput, error)
+	TagMFADeviceRequest(*iam.TagMFADeviceInput) (*request.Request, *iam.TagMFADeviceOutput)
+
+	TagOpenIDConnectProvider(*iam.TagOpenIDConnectProviderInput) (*iam.TagOpenIDConnectProviderOutput, error)
+	TagOpenIDConnectProviderWithContext(aws.Context, *iam.TagOpenIDConnectProviderInput, ...request.Option) (*iam.TagOpenIDConnectProviderOutput, error)
+	TagOpenIDConnectProviderRequest(*iam.TagOpenIDConnectProviderInput) (*request.Request, *iam.TagOpenIDConnectProviderOutput)
+
+	TagPolicy(*iam.TagPolicyInput) (*iam.TagPolicyOutput, error)
+	TagPolicyWithContext(aws.Context, *iam.TagPolicyInput, ...request.Option) (*iam.TagPolicyOutput, error)
+	TagPolicyRequest(*iam.TagPolicyInput) (*request.Request, *iam.TagPolicyOutput)
+
 	TagRole(*iam.TagRoleInput) (*iam.TagRoleOutput, error)
 	TagRoleWithContext(aws.Context, *iam.TagRoleInput, ...request.Option) (*iam.TagRoleOutput, error)
 	TagRoleRequest(*iam.TagRoleInput) (*request.Request, *iam.TagRoleOutput)

+	TagSAMLProvider(*iam.TagSAMLProviderInput) (*iam.TagSAMLProviderOutput, error)
+	TagSAMLProviderWithContext(aws.Context, *iam.TagSAMLProviderInput, ...request.Option) (*iam.TagSAMLProviderOutput, error)
+	TagSAMLProviderRequest(*iam.TagSAMLProviderInput) (*request.Request, *iam.TagSAMLProviderOutput)
+
+	TagServerCertificate(*iam.TagServerCertificateInput) (*iam.TagServerCertificateOutput, error)
+	TagServerCertificateWithContext(aws.Context, *iam.TagServerCertificateInput, ...request.Option) (*iam.TagServerCertificateOutput, error)
+	TagServerCertificateRequest(*iam.TagServerCertificateInput) (*request.Request, *iam.TagServerCertificateOutput)
+
 	TagUser(*iam.TagUserInput) (*iam.TagUserOutput, error)
 	TagUserWithContext(aws.Context, *iam.TagUserInput, ...request.Option) (*iam.TagUserOutput, error)
 	TagUserRequest(*iam.TagUserInput) (*request.Request, *iam.TagUserOutput)

+	UntagInstanceProfile(*iam.UntagInstanceProfileInput) (*iam.UntagInstanceProfileOutput, error)
+	UntagInstanceProfileWithContext(aws.Context, *iam.UntagInstanceProfileInput, ...request.Option) (*iam.UntagInstanceProfileOutput, error)
+	UntagInstanceProfileRequest(*iam.UntagInstanceProfileInput) (*request.Request, *iam.UntagInstanceProfileOutput)
+
+	UntagMFADevice(*iam.UntagMFADeviceInput) (*iam.UntagMFADeviceOutput, error)
+	UntagMFADeviceWithContext(aws.Context, *iam.UntagMFADeviceInput, ...request.Option) (*iam.UntagMFADeviceOutput, error)
+	UntagMFADeviceRequest(*iam.UntagMFADeviceInput) (*request.Request, *iam.UntagMFADeviceOutput)
+
+	UntagOpenIDConnectProvider(*iam.UntagOpenIDConnectProviderInput) (*iam.UntagOpenIDConnectProviderOutput, error)
+	UntagOpenIDConnectProviderWithContext(aws.Context, *iam.UntagOpenIDConnectProviderInput, ...request.Option) (*iam.UntagOpenIDConnectProviderOutput, error)
+	UntagOpenIDConnectProviderRequest(*iam.UntagOpenIDConnectProviderInput) (*request.Request, *iam.UntagOpenIDConnectProviderOutput)
+
+	UntagPolicy(*iam.UntagPolicyInput) (*iam.UntagPolicyOutput, error)
+	UntagPolicyWithContext(aws.Context, *iam.UntagPolicyInput, ...request.Option) (*iam.UntagPolicyOutput, error)
+	UntagPolicyRequest(*iam.UntagPolicyInput) (*request.Request, *iam.UntagPolicyOutput)
+
 	UntagRole(*iam.UntagRoleInput) (*iam.UntagRoleOutput, error)
 	UntagRoleWithContext(aws.Context, *iam.UntagRoleInput, ...request.Option) (*iam.UntagRoleOutput, error)
 	UntagRoleRequest(*iam.UntagRoleInput) (*request.Request, *iam.UntagRoleOutput)

+	UntagSAMLProvider(*iam.UntagSAMLProviderInput) (*iam.UntagSAMLProviderOutput, error)
+	UntagSAMLProviderWithContext(aws.Context, *iam.UntagSAMLProviderInput, ...request.Option) (*iam.UntagSAMLProviderOutput, error)
+	UntagSAMLProviderRequest(*iam.UntagSAMLProviderInput) (*request.Request, *iam.UntagSAMLProviderOutput)
+
+	UntagServerCertificate(*iam.UntagServerCertificateInput) (*iam.UntagServerCertificateOutput, error)
+	UntagServerCertificateWithContext(aws.Context, *iam.UntagServerCertificateInput, ...request.Option) (*iam.UntagServerCertificateOutput, error)
+	UntagServerCertificateRequest(*iam.UntagServerCertificateInput) (*request.Request, *iam.UntagServerCertificateOutput)
+
 	UntagUser(*iam.UntagUserInput) (*iam.UntagUserOutput, error)
 	UntagUserWithContext(aws.Context, *iam.UntagUserInput, ...request.Option) (*iam.UntagUserOutput, error)
 	UntagUserRequest(*iam.UntagUserInput) (*request.Request, *iam.UntagUserOutput)
--- a/vendor/github.com/aws/aws-sdk-go/service/route53/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/route53/api.go
@ -57,7 +57,7 @@ func (c *Route53) ActivateKeySigningKeyRequest(input *ActivateKeySigningKeyInput

 // ActivateKeySigningKey API operation for Amazon Route 53.
 //
-// Activates a key signing key (KSK) so that it can be used for signing by DNSSEC.
+// Activates a key-signing key (KSK) so that it can be used for signing by DNSSEC.
 // This operation changes the KSK status to ACTIVE.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@ -73,10 +73,10 @@ func (c *Route53) ActivateKeySigningKeyRequest(input *ActivateKeySigningKeyInput
 //   at the same time that you did. Retry the request.
 //
 //   * ErrCodeNoSuchKeySigningKey "NoSuchKeySigningKey"
-//   The specified key signing key (KSK) doesn't exist.
+//   The specified key-signing key (KSK) doesn't exist.
 //
 //   * ErrCodeInvalidKeySigningKeyStatus "InvalidKeySigningKeyStatus"
-//   The key signing key (KSK) status isn't valid or another KSK has the status
+//   The key-signing key (KSK) status isn't valid or another KSK has the status
 //   INTERNAL_FAILURE.
 //
 //   * ErrCodeInvalidSigningStatus "InvalidSigningStatus"
@ -884,7 +884,7 @@ func (c *Route53) CreateKeySigningKeyRequest(input *CreateKeySigningKeyInput) (r

 // CreateKeySigningKey API operation for Amazon Route 53.
 //
-// Creates a new key signing key (KSK) associated with a hosted zone. You can
+// Creates a new key-signing key (KSK) associated with a hosted zone. You can
 // only have two KSKs per hosted zone.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@ -909,7 +909,7 @@ func (c *Route53) CreateKeySigningKeyRequest(input *CreateKeySigningKeyInput) (r
 //   signing.
 //
 //   * ErrCodeInvalidKeySigningKeyStatus "InvalidKeySigningKeyStatus"
-//   The key signing key (KSK) status isn't valid or another KSK has the status
+//   The key-signing key (KSK) status isn't valid or another KSK has the status
 //   INTERNAL_FAILURE.
 //
 //   * ErrCodeInvalidSigningStatus "InvalidSigningStatus"
@ -917,14 +917,14 @@ func (c *Route53) CreateKeySigningKeyRequest(input *CreateKeySigningKeyInput) (r
 //   change the status to enable DNSSEC or disable DNSSEC.
 //
 //   * ErrCodeInvalidKeySigningKeyName "InvalidKeySigningKeyName"
-//   The key signing key (KSK) name that you specified isn't a valid name.
+//   The key-signing key (KSK) name that you specified isn't a valid name.
 //
 //   * ErrCodeKeySigningKeyAlreadyExists "KeySigningKeyAlreadyExists"
-//   You've already created a key signing key (KSK) with this name or with the
-//   same customer managed key (CMK) ARN.
+//   You've already created a key-signing key (KSK) with this name or with the
+//   same customer managed customer master key (CMK) ARN.
 //
 //   * ErrCodeTooManyKeySigningKeys "TooManyKeySigningKeys"
-//   You've reached the limit for the number of key signing keys (KSKs). Remove
+//   You've reached the limit for the number of key-signing keys (KSKs). Remove
 //   at least one KSK, and then try again.
 //
 //   * ErrCodeConcurrentModification "ConcurrentModification"
@ -1780,7 +1780,7 @@ func (c *Route53) DeactivateKeySigningKeyRequest(input *DeactivateKeySigningKeyI

 // DeactivateKeySigningKey API operation for Amazon Route 53.
 //
-// Deactivates a key signing key (KSK) so that it will not be used for signing
+// Deactivates a key-signing key (KSK) so that it will not be used for signing
 // by DNSSEC. This operation changes the KSK status to INACTIVE.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@ -1796,10 +1796,10 @@ func (c *Route53) DeactivateKeySigningKeyRequest(input *DeactivateKeySigningKeyI
 //   at the same time that you did. Retry the request.
 //
 //   * ErrCodeNoSuchKeySigningKey "NoSuchKeySigningKey"
-//   The specified key signing key (KSK) doesn't exist.
+//   The specified key-signing key (KSK) doesn't exist.
 //
 //   * ErrCodeInvalidKeySigningKeyStatus "InvalidKeySigningKeyStatus"
-//   The key signing key (KSK) status isn't valid or another KSK has the status
+//   The key-signing key (KSK) status isn't valid or another KSK has the status
 //   INTERNAL_FAILURE.
 //
 //   * ErrCodeInvalidSigningStatus "InvalidSigningStatus"
@ -1807,12 +1807,12 @@ func (c *Route53) DeactivateKeySigningKeyRequest(input *DeactivateKeySigningKeyI
 //   change the status to enable DNSSEC or disable DNSSEC.
 //
 //   * ErrCodeKeySigningKeyInUse "KeySigningKeyInUse"
-//   The key signing key (KSK) that you specified can't be deactivated because
+//   The key-signing key (KSK) that you specified can't be deactivated because
 //   it's the only KSK for a currently-enabled DNSSEC. Disable DNSSEC signing,
 //   or add or enable another KSK.
 //
 //   * ErrCodeKeySigningKeyInParentDSRecord "KeySigningKeyInParentDSRecord"
-//   The key signing key (KSK) is specified in a parent DS record.
+//   The key-signing key (KSK) is specified in a parent DS record.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/route53-2013-04-01/DeactivateKeySigningKey
 func (c *Route53) DeactivateKeySigningKey(input *DeactivateKeySigningKeyInput) (*DeactivateKeySigningKeyOutput, error) {
@ -2120,7 +2120,7 @@ func (c *Route53) DeleteKeySigningKeyRequest(input *DeleteKeySigningKeyInput) (r

 // DeleteKeySigningKey API operation for Amazon Route 53.
 //
-// Deletes a key signing key (KSK). Before you can delete a KSK, you must deactivate
+// Deletes a key-signing key (KSK). Before you can delete a KSK, you must deactivate
 // it. The KSK must be deactived before you can delete it regardless of whether
 // the hosted zone is enabled for DNSSEC signing.
 //
@ -2137,10 +2137,10 @@ func (c *Route53) DeleteKeySigningKeyRequest(input *DeleteKeySigningKeyInput) (r
 //   at the same time that you did. Retry the request.
 //
 //   * ErrCodeNoSuchKeySigningKey "NoSuchKeySigningKey"
-//   The specified key signing key (KSK) doesn't exist.
+//   The specified key-signing key (KSK) doesn't exist.
 //
 //   * ErrCodeInvalidKeySigningKeyStatus "InvalidKeySigningKeyStatus"
-//   The key signing key (KSK) status isn't valid or another KSK has the status
+//   The key-signing key (KSK) status isn't valid or another KSK has the status
 //   INTERNAL_FAILURE.
 //
 //   * ErrCodeInvalidSigningStatus "InvalidSigningStatus"
@ -2708,7 +2708,7 @@ func (c *Route53) DisableHostedZoneDNSSECRequest(input *DisableHostedZoneDNSSECI
 // DisableHostedZoneDNSSEC API operation for Amazon Route 53.
 //
 // Disables DNSSEC signing in a specific hosted zone. This action does not deactivate
-// any key signing keys (KSKs) that are active in the hosted zone.
+// any key-signing keys (KSKs) that are active in the hosted zone.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@ -2729,13 +2729,13 @@ func (c *Route53) DisableHostedZoneDNSSECRequest(input *DisableHostedZoneDNSSECI
 //   at the same time that you did. Retry the request.
 //
 //   * ErrCodeKeySigningKeyInParentDSRecord "KeySigningKeyInParentDSRecord"
-//   The key signing key (KSK) is specified in a parent DS record.
+//   The key-signing key (KSK) is specified in a parent DS record.
 //
 //   * ErrCodeDNSSECNotFound "DNSSECNotFound"
 //   The hosted zone doesn't have any DNSSEC resources.
 //
 //   * ErrCodeInvalidKeySigningKeyStatus "InvalidKeySigningKeyStatus"
-//   The key signing key (KSK) status isn't valid or another KSK has the status
+//   The key-signing key (KSK) status isn't valid or another KSK has the status
 //   INTERNAL_FAILURE.
 //
 //   * ErrCodeInvalidKMSArn "InvalidKMSArn"
@ -2941,7 +2941,7 @@ func (c *Route53) EnableHostedZoneDNSSECRequest(input *EnableHostedZoneDNSSECInp
 //   at the same time that you did. Retry the request.
 //
 //   * ErrCodeKeySigningKeyWithActiveStatusNotFound "KeySigningKeyWithActiveStatusNotFound"
-//   A key signing key (KSK) with ACTIVE status wasn't found.
+//   A key-signing key (KSK) with ACTIVE status wasn't found.
 //
 //   * ErrCodeInvalidKMSArn "InvalidKMSArn"
 //   The KeyManagementServiceArn that you specified isn't valid to use with DNSSEC
@ -2955,7 +2955,7 @@ func (c *Route53) EnableHostedZoneDNSSECRequest(input *EnableHostedZoneDNSSECInp
 //   The hosted zone doesn't have any DNSSEC resources.
 //
 //   * ErrCodeInvalidKeySigningKeyStatus "InvalidKeySigningKeyStatus"
-//   The key signing key (KSK) status isn't valid or another KSK has the status
+//   The key-signing key (KSK) status isn't valid or another KSK has the status
 //   INTERNAL_FAILURE.
 //
 // See also, https://docs.aws.amazon.com/goto/WebAPI/route53-2013-04-01/EnableHostedZoneDNSSEC
@ -3203,6 +3203,8 @@ func (c *Route53) GetCheckerIpRangesRequest(input *GetCheckerIpRangesInput) (req

 // GetCheckerIpRanges API operation for Amazon Route 53.
 //
+// Route 53 does not perform authorization for this API because it retrieves
+// information that is already available to the public.
 //
 // GetCheckerIpRanges still works, but we recommend that you download ip-ranges.json,
 // which includes IP address ranges for all AWS services. For more information,
@ -3282,7 +3284,7 @@ func (c *Route53) GetDNSSECRequest(input *GetDNSSECInput) (req *request.Request,
 // GetDNSSEC API operation for Amazon Route 53.
 //
 // Returns information about DNSSEC for a specific hosted zone, including the
-// key signing keys (KSKs) and zone signing keys (ZSKs) in the hosted zone.
+// key-signing keys (KSKs) in the hosted zone.
 //
 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
 // with awserr.Error's Code and Message methods to get detailed information about
@ -3367,6 +3369,9 @@ func (c *Route53) GetGeoLocationRequest(input *GetGeoLocationInput) (req *reques
 // Gets information about whether a specified geographic location is supported
 // for Amazon Route 53 geolocation resource record sets.
 //
+// Route 53 does not perform authorization for this API because it retrieves
+// information that is already available to the public.
+//
 // Use the following syntax to determine whether a continent is supported for
 // geolocation:
 //
@ -4557,6 +4562,9 @@ func (c *Route53) ListGeoLocationsRequest(input *ListGeoLocationsInput) (req *re
 // the subdivisions for that country are listed in alphabetical order immediately
 // after the corresponding country.
 //
+// Route 53 does not perform authorization for this API because it retrieves
+// information that is already available to the public.
+//
 // For a list of supported geolocation codes, see the GeoLocation (https://docs.aws.amazon.com/Route53/latest/APIReference/API_GeoLocation.html)
 // data type.
 //
@ -6801,7 +6809,9 @@ type ActivateKeySigningKeyInput struct {
 	// HostedZoneId is a required field
 	HostedZoneId *string `location:"uri" locationName:"HostedZoneId" type:"string" required:"true"`

-	// An alphanumeric string used to identify a key signing key (KSK).
+	// A string used to identify a key-signing key (KSK). Name can include numbers,
+	// letters, and underscores (_). Name must be unique for each key-signing key
+	// in the same hosted zone.
 	//
 	// Name is a required field
 	Name *string `location:"uri" locationName:"Name" min:"3" type:"string" required:"true"`
@ -6902,8 +6912,9 @@ type AlarmIdentifier struct {
 	// determine whether this health check is healthy, the region that the alarm
 	// was created in.
 	//
-	// For the current list of CloudWatch regions, see Amazon CloudWatch (https://docs.aws.amazon.com/general/latest/gr/rande.html#cw_region)
-	// in the AWS Service Endpoints chapter of the Amazon Web Services General Reference.
+	// For the current list of CloudWatch regions, see Amazon CloudWatch endpoints
+	// and quotas (https://docs.aws.amazon.com/general/latest/gr/cw_region.html)
+	// in the Amazon Web Services General Reference.
 	//
 	// Region is a required field
 	Region *string `min:"1" type:"string" required:"true" enum:"CloudWatchRegion"`
@ -7199,21 +7210,20 @@ type AliasTarget struct {
 	//
 	// Specify the hosted zone ID for the region that you created the environment
 	// in. The environment must have a regionalized subdomain. For a list of regions
-	// and the corresponding hosted zone IDs, see AWS Elastic Beanstalk (https://docs.aws.amazon.com/general/latest/gr/rande.html#elasticbeanstalk_region)
-	// in the "AWS Service Endpoints" chapter of the Amazon Web Services General
-	// Reference.
+	// and the corresponding hosted zone IDs, see AWS Elastic Beanstalk endpoints
+	// and quotas (https://docs.aws.amazon.com/general/latest/gr/elasticbeanstalk.html)
+	// in the the Amazon Web Services General Reference.
 	//
 	// ELB load balancer
 	//
 	// Specify the value of the hosted zone ID for the load balancer. Use the following
 	// methods to get the hosted zone ID:
 	//
-	//    * Service Endpoints (https://docs.aws.amazon.com/general/latest/gr/elb.html)
-	//    table in the "Elastic Load Balancing Endpoints and Quotas" topic in the
-	//    Amazon Web Services General Reference: Use the value that corresponds
-	//    with the region that you created your load balancer in. Note that there
-	//    are separate columns for Application and Classic Load Balancers and for
-	//    Network Load Balancers.
+	//    * Elastic Load Balancing endpoints and quotas (https://docs.aws.amazon.com/general/latest/gr/elb.html)
+	//    topic in the Amazon Web Services General Reference: Use the value that
+	//    corresponds with the region that you created your load balancer in. Note
+	//    that there are separate columns for Application and Classic Load Balancers
+	//    and for Network Load Balancers.
 	//
 	//    * AWS Management Console: Go to the Amazon EC2 page, choose Load Balancers
 	//    in the navigation pane, select the load balancer, and get the value of
@ -8230,13 +8240,13 @@ type CreateKeySigningKeyInput struct {
 	// HostedZoneId is a required field
 	HostedZoneId *string `type:"string" required:"true"`

-	// The Amazon resource name (ARN) for a customer managed key (CMK) in AWS Key
-	// Management Service (KMS). The KeyManagementServiceArn must be unique for
-	// each key signing key (KSK) in a single hosted zone. To see an example of
-	// KeyManagementServiceArn that grants the correct permissions for DNSSEC, scroll
-	// down to Example.
+	// The Amazon resource name (ARN) for a customer managed customer master key
+	// (CMK) in AWS Key Management Service (AWS KMS). The KeyManagementServiceArn
+	// must be unique for each key-signing key (KSK) in a single hosted zone. To
+	// see an example of KeyManagementServiceArn that grants the correct permissions
+	// for DNSSEC, scroll down to Example.
 	//
-	// You must configure the CMK as follows:
+	// You must configure the customer managed CMK as follows:
 	//
 	// Status
 	//
@ -8265,19 +8275,20 @@ type CreateKeySigningKeyInput struct {
 	//
 	//    * "Service": "api-service.dnssec.route53.aws.internal"
 	//
-	// For more information about working with CMK in KMS, see AWS Key Management
-	// Service concepts (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html).
+	// For more information about working with a customer managed CMK in AWS KMS,
+	// see AWS Key Management Service concepts (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html).
 	//
 	// KeyManagementServiceArn is a required field
 	KeyManagementServiceArn *string `type:"string" required:"true"`

-	// An alphanumeric string used to identify a key signing key (KSK). Name must
-	// be unique for each key signing key in the same hosted zone.
+	// A string used to identify a key-signing key (KSK). Name can include numbers,
+	// letters, and underscores (_). Name must be unique for each key-signing key
+	// in the same hosted zone.
 	//
 	// Name is a required field
 	Name *string `min:"3" type:"string" required:"true"`

-	// A string specifying the initial status of the key signing key (KSK). You
+	// A string specifying the initial status of the key-signing key (KSK). You
 	// can set the value to ACTIVE or INACTIVE.
 	//
 	// Status is a required field
@ -8367,12 +8378,12 @@ type CreateKeySigningKeyOutput struct {
 	// ChangeInfo is a required field
 	ChangeInfo *ChangeInfo `type:"structure" required:"true"`

-	// The key signing key (KSK) that the request creates.
+	// The key-signing key (KSK) that the request creates.
 	//
 	// KeySigningKey is a required field
 	KeySigningKey *KeySigningKey `type:"structure" required:"true"`

-	// The unique URL representing the new key signing key (KSK).
+	// The unique URL representing the new key-signing key (KSK).
 	//
 	// Location is a required field
 	Location *string `location:"header" locationName:"Location" type:"string" required:"true"`
@ -9059,14 +9070,34 @@ func (s *CreateVPCAssociationAuthorizationOutput) SetVPC(v *VPC) *CreateVPCAssoc
 type DNSSECStatus struct {
 	_ struct{} `type:"structure"`

-	// Indicates your hosted zone signging status: SIGNING, NOT_SIGNING, or INTERNAL_FAILURE.
-	// If the status is INTERNAL_FAILURE, see StatusMessage for information about
-	// steps that you can take to correct the problem.
+	// A string that represents the current hosted zone signing status.
 	//
-	// A status INTERNAL_FAILURE means there was an error during a request. Before
-	// you can continue to work with DNSSEC signing, including working with key
-	// signing keys (KSKs), you must correct the problem by enabling or disabling
-	// DNSSEC signing for the hosted zone.
+	// Status can have one of the following values:
+	//
+	// SIGNING
+	//
+	// DNSSEC signing is enabled for the hosted zone.
+	//
+	// NOT_SIGNING
+	//
+	// DNSSEC signing is not enabled for the hosted zone.
+	//
+	// DELETING
+	//
+	// DNSSEC signing is in the process of being removed for the hosted zone.
+	//
+	// ACTION_NEEDED
+	//
+	// There is a problem with signing in the hosted zone that requires you to take
+	// action to resolve. For example, the customer managed customer master key
+	// (CMK) might have been deleted, or the permissions for the customer managed
+	// CMK might have been changed.
+	//
+	// INTERNAL_FAILURE
+	//
+	// There was an error during a request. Before you can continue to work with
+	// DNSSEC signing, including with key-signing keys (KSKs), you must correct
+	// the problem by enabling or disabling DNSSEC signing for the hosted zone.
 	ServeSignature *string `min:"1" type:"string"`

 	// The status message provided for the following DNSSEC signing status: INTERNAL_FAILURE.
@ -9105,7 +9136,7 @@ type DeactivateKeySigningKeyInput struct {
 	// HostedZoneId is a required field
 	HostedZoneId *string `location:"uri" locationName:"HostedZoneId" type:"string" required:"true"`

-	// An alphanumeric string used to identify a key signing key (KSK).
+	// A string used to identify a key-signing key (KSK).
 	//
 	// Name is a required field
 	Name *string `location:"uri" locationName:"Name" min:"3" type:"string" required:"true"`
@ -9362,7 +9393,7 @@ type DeleteKeySigningKeyInput struct {
 	// HostedZoneId is a required field
 	HostedZoneId *string `location:"uri" locationName:"HostedZoneId" type:"string" required:"true"`

-	// An alphanumeric string used to identify a key signing key (KSK).
+	// A string used to identify a key-signing key (KSK).
 	//
 	// Name is a required field
 	Name *string `location:"uri" locationName:"Name" min:"3" type:"string" required:"true"`
@ -10147,8 +10178,12 @@ type GeoLocationDetails struct {
 	// The name of the country.
 	CountryName *string `min:"1" type:"string"`

-	// The code for the subdivision. Route 53 currently supports only states in
-	// the United States.
+	// The code for the subdivision, such as a particular state within the United
+	// States. For a list of US state abbreviations, see Appendix B: Two–Letter
+	// State and Possession Abbreviations (https://pe.usps.com/text/pub28/28apb.htm)
+	// on the United States Postal Service website. For a list of all supported
+	// subdivision codes, use the ListGeoLocations (https://docs.aws.amazon.com/Route53/latest/APIReference/API_ListGeoLocations.html)
+	// API.
 	SubdivisionCode *string `min:"1" type:"string"`

 	// The full name of the subdivision. Route 53 currently supports only states
@ -10461,7 +10496,7 @@ func (s *GetDNSSECInput) SetHostedZoneId(v string) *GetDNSSECInput {
 type GetDNSSECOutput struct {
 	_ struct{} `type:"structure"`

-	// The key signing keys (KSKs) in your account.
+	// The key-signing keys (KSKs) in your account.
 	//
 	// KeySigningKeys is a required field
 	KeySigningKeys []*KeySigningKey `type:"list" required:"true"`
@ -10521,12 +10556,12 @@ type GetGeoLocationInput struct {
 	// standard 3166-1 alpha-2 (https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).
 	CountryCode *string `location:"querystring" locationName:"countrycode" min:"1" type:"string"`

-	// For SubdivisionCode, Amazon Route 53 supports only states of the United States.
-	// For a list of state abbreviations, see Appendix B: Two–Letter State and
-	// Possession Abbreviations (https://pe.usps.com/text/pub28/28apb.htm) on the
-	// United States Postal Service website.
-	//
-	// If you specify subdivisioncode, you must also specify US for CountryCode.
+	// The code for the subdivision, such as a particular state within the United
+	// States. For a list of US state abbreviations, see Appendix B: Two–Letter
+	// State and Possession Abbreviations (https://pe.usps.com/text/pub28/28apb.htm)
+	// on the United States Postal Service website. For a list of all supported
+	// subdivision codes, use the ListGeoLocations (https://docs.aws.amazon.com/Route53/latest/APIReference/API_ListGeoLocations.html)
+	// API.
 	SubdivisionCode *string `location:"querystring" locationName:"subdivisioncode" min:"1" type:"string"`
 }

@ -11576,7 +11611,7 @@ type HealthCheck struct {
 	// HealthCheckVersion is a required field
 	HealthCheckVersion *int64 `min:"1" type:"long" required:"true"`

-	// The identifier that Amazon Route 53assigned to the health check when you
+	// The identifier that Amazon Route 53 assigned to the health check when you
 	// created it. When you add or update a resource record set, you use this value
 	// to specify which health check to use. The value can be up to 64 characters
 	// long.
@ -12380,7 +12415,7 @@ func (s *HostedZoneSummary) SetOwner(v *HostedZoneOwner) *HostedZoneSummary {
 	return s
 }

-// A key signing key (KSK) is a complex type that represents a public/private
+// A key-signing key (KSK) is a complex type that represents a public/private
 // key pair. The private key is used to generate a digital signature for the
 // zone signing key (ZSK). The public key is stored in the DNS and is used to
 // authenticate the ZSK. A KSK is always associated with a hosted zone; it cannot
@ -12388,7 +12423,7 @@ func (s *HostedZoneSummary) SetOwner(v *HostedZoneOwner) *HostedZoneSummary {
 type KeySigningKey struct {
 	_ struct{} `type:"structure"`

-	// The date when the key signing key (KSK) was created.
+	// The date when the key-signing key (KSK) was created.
 	CreatedDate *time.Time `type:"timestamp"`

 	// A string that represents a DNSKEY record.
@ -12411,7 +12446,7 @@ type KeySigningKey struct {
 	// system.
 	DigestValue *string `type:"string"`

-	// An integer that specifies how the key is used. For key signing key (KSK),
+	// An integer that specifies how the key is used. For key-signing key (KSK),
 	// this value is always 257.
 	Flag *int64 `type:"integer"`

@ -12419,9 +12454,9 @@ type KeySigningKey struct {
 	// used to calculate the value is described in RFC-4034 Appendix B (https://tools.ietf.org/rfc/rfc4034.txt).
 	KeyTag *int64 `type:"integer"`

-	// The Amazon resource name (ARN) used to identify the customer managed key
-	// (CMK) in AWS Key Management Service (KMS). The KmsArn must be unique for
-	// each key signing key (KSK) in a single hosted zone.
+	// The Amazon resource name (ARN) used to identify the customer managed customer
+	// master key (CMK) in AWS Key Management Service (AWS KMS). The KmsArn must
+	// be unique for each key-signing key (KSK) in a single hosted zone.
 	//
 	// You must configure the CMK as follows:
 	//
@ -12452,15 +12487,16 @@ type KeySigningKey struct {
 	//
 	//    * "Service": "api-service.dnssec.route53.aws.internal"
 	//
-	// For more information about working with the customer managed key (CMK) in
-	// KMS, see AWS Key Management Service concepts (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html).
+	// For more information about working with the customer managed CMK in AWS KMS,
+	// see AWS Key Management Service concepts (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html).
 	KmsArn *string `type:"string"`

-	// The last time that the key signing key (KSK) was changed.
+	// The last time that the key-signing key (KSK) was changed.
 	LastModifiedDate *time.Time `type:"timestamp"`

-	// An alphanumeric string used to identify a key signing key (KSK). Name must
-	// be unique for each key signing key in the same hosted zone.
+	// A string used to identify a key-signing key (KSK). Name can include numbers,
+	// letters, and underscores (_). Name must be unique for each key-signing key
+	// in the same hosted zone.
 	Name *string `min:"3" type:"string"`

 	// The public key, represented as a Base64 encoding, as required by RFC-4034
@ -12475,7 +12511,7 @@ type KeySigningKey struct {
 	// the guidelines provided by RFC-8624 Section 3.1 (https://tools.ietf.org/html/rfc8624#section-3.1).
 	SigningAlgorithmType *int64 `type:"integer"`

-	// A string that represents the current key signing key (KSK) status.
+	// A string that represents the current key-signing key (KSK) status.
 	//
 	// Status can have one of the following values:
 	//
@ -12487,9 +12523,16 @@ type KeySigningKey struct {
 	//
 	// The KSK is not being used for signing.
 	//
+	// DELETING
+	//
+	// The KSK is in the process of being deleted.
+	//
 	// ACTION_NEEDED
 	//
-	// There is an error in the KSK that requires you to take action to resolve.
+	// There is a problem with the KSK that requires you to take action to resolve.
+	// For example, the customer managed customer master key (CMK) might have been
+	// deleted, or the permissions for the customer managed CMK might have been
+	// changed.
 	//
 	// INTERNAL_FAILURE
 	//
@ -12498,7 +12541,7 @@ type KeySigningKey struct {
 	// the problem. For example, you may need to activate or deactivate the KSK.
 	Status *string `min:"5" type:"string"`

-	// The status message provided for the following key signing key (KSK) statuses:
+	// The status message provided for the following key-signing key (KSK) statuses:
 	// ACTION_NEEDED or INTERNAL_FAILURE. The status message includes information
 	// about what the problem might be and steps that you can take to correct the
 	// issue.
@ -15378,8 +15421,8 @@ type ResourceRecordSet struct {
 	// data is encoded for them, see Supported DNS Resource Record Types (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html)
 	// in the Amazon Route 53 Developer Guide.
 	//
-	// Valid values for basic resource record sets: A | AAAA | CAA | CNAME | MX
-	// | NAPTR | NS | PTR | SOA | SPF | SRV | TXT
+	// Valid values for basic resource record sets: A | AAAA | CAA | CNAME | DS
+	// |MX | NAPTR | NS | PTR | SOA | SPF | SRV | TXT
 	//
 	// Values for weighted, latency, geolocation, and failover resource record sets:
 	// A | AAAA | CAA | CNAME | MX | NAPTR | PTR | SPF | SRV | TXT. When creating
--- a/vendor/github.com/aws/aws-sdk-go/service/route53/errors.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/route53/errors.go
@ -199,13 +199,13 @@ const (
 	// ErrCodeInvalidKeySigningKeyName for service response error code
 	// "InvalidKeySigningKeyName".
 	//
-	// The key signing key (KSK) name that you specified isn't a valid name.
+	// The key-signing key (KSK) name that you specified isn't a valid name.
 	ErrCodeInvalidKeySigningKeyName = "InvalidKeySigningKeyName"

 	// ErrCodeInvalidKeySigningKeyStatus for service response error code
 	// "InvalidKeySigningKeyStatus".
 	//
-	// The key signing key (KSK) status isn't valid or another KSK has the status
+	// The key-signing key (KSK) status isn't valid or another KSK has the status
 	// INTERNAL_FAILURE.
 	ErrCodeInvalidKeySigningKeyStatus = "InvalidKeySigningKeyStatus"

@ -240,20 +240,20 @@ const (
 	// ErrCodeKeySigningKeyAlreadyExists for service response error code
 	// "KeySigningKeyAlreadyExists".
 	//
-	// You've already created a key signing key (KSK) with this name or with the
-	// same customer managed key (CMK) ARN.
+	// You've already created a key-signing key (KSK) with this name or with the
+	// same customer managed customer master key (CMK) ARN.
 	ErrCodeKeySigningKeyAlreadyExists = "KeySigningKeyAlreadyExists"

 	// ErrCodeKeySigningKeyInParentDSRecord for service response error code
 	// "KeySigningKeyInParentDSRecord".
 	//
-	// The key signing key (KSK) is specified in a parent DS record.
+	// The key-signing key (KSK) is specified in a parent DS record.
 	ErrCodeKeySigningKeyInParentDSRecord = "KeySigningKeyInParentDSRecord"

 	// ErrCodeKeySigningKeyInUse for service response error code
 	// "KeySigningKeyInUse".
 	//
-	// The key signing key (KSK) that you specified can't be deactivated because
+	// The key-signing key (KSK) that you specified can't be deactivated because
 	// it's the only KSK for a currently-enabled DNSSEC. Disable DNSSEC signing,
 	// or add or enable another KSK.
 	ErrCodeKeySigningKeyInUse = "KeySigningKeyInUse"
@ -261,7 +261,7 @@ const (
 	// ErrCodeKeySigningKeyWithActiveStatusNotFound for service response error code
 	// "KeySigningKeyWithActiveStatusNotFound".
 	//
-	// A key signing key (KSK) with ACTIVE status wasn't found.
+	// A key-signing key (KSK) with ACTIVE status wasn't found.
 	ErrCodeKeySigningKeyWithActiveStatusNotFound = "KeySigningKeyWithActiveStatusNotFound"

 	// ErrCodeLastVPCAssociation for service response error code
@ -327,7 +327,7 @@ const (
 	// ErrCodeNoSuchKeySigningKey for service response error code
 	// "NoSuchKeySigningKey".
 	//
-	// The specified key signing key (KSK) doesn't exist.
+	// The specified key-signing key (KSK) doesn't exist.
 	ErrCodeNoSuchKeySigningKey = "NoSuchKeySigningKey"

 	// ErrCodeNoSuchQueryLoggingConfig for service response error code
@ -428,7 +428,7 @@ const (
 	// ErrCodeTooManyKeySigningKeys for service response error code
 	// "TooManyKeySigningKeys".
 	//
-	// You've reached the limit for the number of key signing keys (KSKs). Remove
+	// You've reached the limit for the number of key-signing keys (KSKs). Remove
 	// at least one KSK, and then try again.
 	ErrCodeTooManyKeySigningKeys = "TooManyKeySigningKeys"

--- a/vendor/github.com/aws/aws-sdk-go/service/s3/endpoint.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/endpoint.go
@ -98,7 +98,7 @@ func endpointHandler(req *request.Request) {
 		Request:  req,
 	}

-	if resReq.IsCrossPartition() {
+	if len(resReq.Request.ClientInfo.PartitionID) != 0 && resReq.IsCrossPartition() {
 		req.Error = s3shared.NewClientPartitionMismatchError(resource,
 			req.ClientInfo.PartitionID, aws.StringValue(req.Config.Region), nil)
 		return
@ -110,11 +110,6 @@ func endpointHandler(req *request.Request) {
 		return
 	}

-	if resReq.HasCustomEndpoint() {
-		req.Error = s3shared.NewInvalidARNWithCustomEndpointError(resource, nil)
-		return
-	}
-
 	switch tv := resource.(type) {
 	case arn.AccessPointARN:
 		err = updateRequestAccessPointEndpoint(req, tv)
@ -155,8 +150,7 @@ func updateRequestAccessPointEndpoint(req *request.Request, accessPoint arn.Acce
 			req.ClientInfo.PartitionID, aws.StringValue(req.Config.Region), nil)
 	}

-	// Ignore the disable host prefix for access points since custom endpoints
-	// are not supported.
+	// Ignore the disable host prefix for access points
 	req.Config.DisableEndpointHostPrefix = aws.Bool(false)

 	if err := accessPointEndpointBuilder(accessPoint).build(req); err != nil {
@ -181,8 +175,7 @@ func updateRequestOutpostAccessPointEndpoint(req *request.Request, accessPoint a
 			req.ClientInfo.PartitionID, aws.StringValue(req.Config.Region), nil)
 	}

-	// Ignore the disable host prefix for access points since custom endpoints
-	// are not supported.
+	// Ignore the disable host prefix for access points
 	req.Config.DisableEndpointHostPrefix = aws.Bool(false)

 	if err := outpostAccessPointEndpointBuilder(accessPoint).build(req); err != nil {
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/endpoint_builder.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/endpoint_builder.go
@ -22,6 +22,11 @@ const (
 	outpostAccessPointPrefixTemplate = accessPointPrefixTemplate + "{" + outpostPrefixLabel + "}."
 )

+// hasCustomEndpoint returns true if endpoint is a custom endpoint
+func hasCustomEndpoint(r *request.Request) bool {
+	return len(aws.StringValue(r.Config.Endpoint)) > 0
+}
+
 // accessPointEndpointBuilder represents the endpoint builder for access point arn
 type accessPointEndpointBuilder arn.AccessPointARN

@ -55,16 +60,19 @@ func (a accessPointEndpointBuilder) build(req *request.Request) error {
 			req.ClientInfo.PartitionID, cfgRegion, err)
 	}

-	if err = updateRequestEndpoint(req, endpoint.URL); err != nil {
-		return err
-	}
+	endpoint.URL = endpoints.AddScheme(endpoint.URL, aws.BoolValue(req.Config.DisableSSL))

-	const serviceEndpointLabel = "s3-accesspoint"
+	if !hasCustomEndpoint(req) {
+		if err = updateRequestEndpoint(req, endpoint.URL); err != nil {
+			return err
+		}
+		const serviceEndpointLabel = "s3-accesspoint"

-	// dual stack provided by endpoint resolver
-	cfgHost := req.HTTPRequest.URL.Host
-	if strings.HasPrefix(cfgHost, "s3") {
-		req.HTTPRequest.URL.Host = serviceEndpointLabel + cfgHost[2:]
+		// dual stack provided by endpoint resolver
+		cfgHost := req.HTTPRequest.URL.Host
+		if strings.HasPrefix(cfgHost, "s3") {
+			req.HTTPRequest.URL.Host = serviceEndpointLabel + cfgHost[2:]
+		}
 	}

 	protocol.HostPrefixBuilder{
@ -116,14 +124,17 @@ func (o outpostAccessPointEndpointBuilder) build(req *request.Request) error {
 			req.ClientInfo.PartitionID, resolveRegion, err)
 	}

-	if err = updateRequestEndpoint(req, endpoint.URL); err != nil {
-		return err
-	}
+	endpoint.URL = endpoints.AddScheme(endpoint.URL, aws.BoolValue(req.Config.DisableSSL))

-	// add url host as s3-outposts
-	cfgHost := req.HTTPRequest.URL.Host
-	if strings.HasPrefix(cfgHost, endpointsID) {
-		req.HTTPRequest.URL.Host = resolveService + cfgHost[len(endpointsID):]
+	if !hasCustomEndpoint(req) {
+		if err = updateRequestEndpoint(req, endpoint.URL); err != nil {
+			return err
+		}
+		// add url host as s3-outposts
+		cfgHost := req.HTTPRequest.URL.Host
+		if strings.HasPrefix(cfgHost, endpointsID) {
+			req.HTTPRequest.URL.Host = resolveService + cfgHost[len(endpointsID):]
+		}
 	}

 	protocol.HostPrefixBuilder{
@ -159,7 +170,6 @@ func resolveRegionalEndpoint(r *request.Request, region string, endpointsID stri
 }

 func updateRequestEndpoint(r *request.Request, endpoint string) (err error) {
-	endpoint = endpoints.AddScheme(endpoint, aws.BoolValue(r.Config.DisableSSL))

 	r.HTTPRequest.URL, err = url.Parse(endpoint + r.Operation.HTTPPath)
 	if err != nil {
--- a/vendor/github.com/aws/aws-sdk-go/service/s3/service.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/s3/service.go
@ -48,6 +48,9 @@ const (
 //     svc := s3.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
 func New(p client.ConfigProvider, cfgs ...*aws.Config) *S3 {
 	c := p.ClientConfig(EndpointsID, cfgs...)
+	if c.SigningNameDerived || len(c.SigningName) == 0 {
+		c.SigningName = "s3"
+	}
 	return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName)
 }

--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -92,7 +92,7 @@ github.com/aws/amazon-ec2-instance-selector/v2/pkg/bytequantity
 github.com/aws/amazon-ec2-instance-selector/v2/pkg/cli
 github.com/aws/amazon-ec2-instance-selector/v2/pkg/selector
 github.com/aws/amazon-ec2-instance-selector/v2/pkg/selector/outputs
-# github.com/aws/aws-sdk-go v1.37.0
+# github.com/aws/aws-sdk-go v1.37.11
 ## explicit
 github.com/aws/aws-sdk-go/aws
 github.com/aws/aws-sdk-go/aws/arn