vendor: github.com/aws/aws-sdk-go-v2/config v1.26.6

vendor github.com/aws/aws-sdk-go-v2/config v1.26.6 and related dependencies.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

vendor/github.com/aws/aws-sdk-go-v2/aws/config.go

@@ -68,6 +68,12 @@ type Config struct {
 	//
 	// See the `aws.EndpointResolverWithOptions` documentation for additional
 	// usage information.
+	//
+	// Deprecated: with the release of endpoint resolution v2 in API clients,
+	// EndpointResolver and EndpointResolverWithOptions are deprecated.
+	// Providing a value for this field will likely prevent you from using
+	// newer endpoint-related service features. See API client options
+	// EndpointResolverV2 and BaseEndpoint.
 	EndpointResolverWithOptions EndpointResolverWithOptions
 
 	// RetryMaxAttempts specifies the maximum number attempts an API client
@@ -132,6 +138,30 @@ type Config struct {
 	// `config.LoadDefaultConfig`. You should not populate this structure
 	// programmatically, or rely on the values here within your applications.
 	RuntimeEnvironment RuntimeEnvironment
+
+	// AppId is an optional application specific identifier that can be set.
+	// When set it will be appended to the User-Agent header of every request
+	// in the form of App/{AppId}. This variable is sourced from environment
+	// variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.
+	// See https://docs.aws.amazon.com/sdkref/latest/guide/settings-reference.html for
+	// more information on environment variables and shared config settings.
+	AppID string
+
+	// BaseEndpoint is an intermediary transfer location to a service specific
+	// BaseEndpoint on a service's Options.
+	BaseEndpoint *string
+
+	// DisableRequestCompression toggles if an operation request could be
+	// compressed or not. Will be set to false by default. This variable is sourced from
+	// environment variable AWS_DISABLE_REQUEST_COMPRESSION or the shared config profile attribute
+	// disable_request_compression
+	DisableRequestCompression bool
+
+	// RequestMinCompressSizeBytes sets the inclusive min bytes of a request body that could be
+	// compressed. Will be set to 10240 by default and must be within 0 and 10485760 bytes inclusively.
+	// This variable is sourced from environment variable AWS_REQUEST_MIN_COMPRESSION_SIZE_BYTES or
+	// the shared config profile attribute request_min_compression_size_bytes
+	RequestMinCompressSizeBytes int64
 }
 
 // NewConfig returns a new Config pointer that can be chained with builder
@@ -140,8 +170,7 @@ func NewConfig() *Config {
 	return &Config{}
 }
 
-// Copy will return a shallow copy of the Config object. If any additional
-// configurations are provided they will be merged into the new config returned.
+// Copy will return a shallow copy of the Config object.
 func (c Config) Copy() Config {
 	cp := c
 	return cp

vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go

@@ -3,4 +3,4 @@
 package aws
 
 // goModuleVersion is the tagged release for this module
-const goModuleVersion = "1.17.6"
+const goModuleVersion = "1.24.1"

vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/metadata.go

@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"context"
+
 	"github.com/aws/aws-sdk-go-v2/aws"
 
 	"github.com/aws/smithy-go/middleware"
@@ -42,12 +43,13 @@ func (s RegisterServiceMetadata) HandleInitialize(
 
 // service metadata keys for storing and lookup of runtime stack information.
 type (
-	serviceIDKey     struct{}
-	signingNameKey   struct{}
-	signingRegionKey struct{}
-	regionKey        struct{}
-	operationNameKey struct{}
-	partitionIDKey   struct{}
+	serviceIDKey               struct{}
+	signingNameKey             struct{}
+	signingRegionKey           struct{}
+	regionKey                  struct{}
+	operationNameKey           struct{}
+	partitionIDKey             struct{}
+	requiresLegacyEndpointsKey struct{}
 )
 
 // GetServiceID retrieves the service id from the context.
@@ -63,6 +65,9 @@ func GetServiceID(ctx context.Context) (v string) {
 //
 // Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
 // to clear all stack values.
+//
+// Deprecated: This value is unstable. The resolved signing name is available
+// in the signer properties object passed to the signer.
 func GetSigningName(ctx context.Context) (v string) {
 	v, _ = middleware.GetStackValue(ctx, signingNameKey{}).(string)
 	return v
@@ -72,6 +77,9 @@ func GetSigningName(ctx context.Context) (v string) {
 //
 // Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
 // to clear all stack values.
+//
+// Deprecated: This value is unstable. The resolved signing region is available
+// in the signer properties object passed to the signer.
 func GetSigningRegion(ctx context.Context) (v string) {
 	v, _ = middleware.GetStackValue(ctx, signingRegionKey{}).(string)
 	return v
@@ -104,10 +112,32 @@ func GetPartitionID(ctx context.Context) string {
 	return v
 }
 
-// SetSigningName set or modifies the signing name on the context.
+// GetRequiresLegacyEndpoints the flag used to indicate if legacy endpoint
+// customizations need to be executed.
 //
 // Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
 // to clear all stack values.
+func GetRequiresLegacyEndpoints(ctx context.Context) bool {
+	v, _ := middleware.GetStackValue(ctx, requiresLegacyEndpointsKey{}).(bool)
+	return v
+}
+
+// SetRequiresLegacyEndpoints set or modifies the flag indicated that
+// legacy endpoint customizations are needed.
+//
+// Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
+// to clear all stack values.
+func SetRequiresLegacyEndpoints(ctx context.Context, value bool) context.Context {
+	return middleware.WithStackValue(ctx, requiresLegacyEndpointsKey{}, value)
+}
+
+// SetSigningName set or modifies the sigv4 or sigv4a signing name on the context.
+//
+// Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
+// to clear all stack values.
+//
+// Deprecated: This value is unstable. Use WithSigV4SigningName client option
+// funcs instead.
 func SetSigningName(ctx context.Context, value string) context.Context {
 	return middleware.WithStackValue(ctx, signingNameKey{}, value)
 }
@@ -116,6 +146,9 @@ func SetSigningName(ctx context.Context, value string) context.Context {
 //
 // Scoped to stack values. Use github.com/aws/smithy-go/middleware#ClearStackValues
 // to clear all stack values.
+//
+// Deprecated: This value is unstable. Use WithSigV4SigningRegion client option
+// funcs instead.
 func SetSigningRegion(ctx context.Context, value string) context.Context {
 	return middleware.WithStackValue(ctx, signingRegionKey{}, value)
 }

vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics/metrics.go

@@ -0,0 +1,319 @@
+// Package metrics implements metrics gathering for SDK development purposes.
+//
+// This package is designated as private and is intended for use only by the
+// AWS client runtime. The exported API therein is not considered stable and
+// is subject to breaking changes without notice.
+package metrics
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/aws/smithy-go/middleware"
+)
+
+const (
+	// ServiceIDKey is the key for the service ID metric.
+	ServiceIDKey = "ServiceId"
+	// OperationNameKey is the key for the operation name metric.
+	OperationNameKey = "OperationName"
+	// ClientRequestIDKey is the key for the client request ID metric.
+	ClientRequestIDKey = "ClientRequestId"
+	// APICallDurationKey is the key for the API call duration metric.
+	APICallDurationKey = "ApiCallDuration"
+	// APICallSuccessfulKey is the key for the API call successful metric.
+	APICallSuccessfulKey = "ApiCallSuccessful"
+	// MarshallingDurationKey is the key for the marshalling duration metric.
+	MarshallingDurationKey = "MarshallingDuration"
+	// InThroughputKey is the key for the input throughput metric.
+	InThroughputKey = "InThroughput"
+	// OutThroughputKey is the key for the output throughput metric.
+	OutThroughputKey = "OutThroughput"
+	// RetryCountKey is the key for the retry count metric.
+	RetryCountKey = "RetryCount"
+	// HTTPStatusCodeKey is the key for the HTTP status code metric.
+	HTTPStatusCodeKey = "HttpStatusCode"
+	// AWSExtendedRequestIDKey is the key for the AWS extended request ID metric.
+	AWSExtendedRequestIDKey = "AwsExtendedRequestId"
+	// AWSRequestIDKey is the key for the AWS request ID metric.
+	AWSRequestIDKey = "AwsRequestId"
+	// BackoffDelayDurationKey is the key for the backoff delay duration metric.
+	BackoffDelayDurationKey = "BackoffDelayDuration"
+	// StreamThroughputKey is the key for the stream throughput metric.
+	StreamThroughputKey = "Throughput"
+	// ConcurrencyAcquireDurationKey is the key for the concurrency acquire duration metric.
+	ConcurrencyAcquireDurationKey = "ConcurrencyAcquireDuration"
+	// PendingConcurrencyAcquiresKey is the key for the pending concurrency acquires metric.
+	PendingConcurrencyAcquiresKey = "PendingConcurrencyAcquires"
+	// SigningDurationKey is the key for the signing duration metric.
+	SigningDurationKey = "SigningDuration"
+	// UnmarshallingDurationKey is the key for the unmarshalling duration metric.
+	UnmarshallingDurationKey = "UnmarshallingDuration"
+	// TimeToFirstByteKey is the key for the time to first byte metric.
+	TimeToFirstByteKey = "TimeToFirstByte"
+	// ServiceCallDurationKey is the key for the service call duration metric.
+	ServiceCallDurationKey = "ServiceCallDuration"
+	// EndpointResolutionDurationKey is the key for the endpoint resolution duration metric.
+	EndpointResolutionDurationKey = "EndpointResolutionDuration"
+	// AttemptNumberKey is the key for the attempt number metric.
+	AttemptNumberKey = "AttemptNumber"
+	// MaxConcurrencyKey is the key for the max concurrency metric.
+	MaxConcurrencyKey = "MaxConcurrency"
+	// AvailableConcurrencyKey is the key for the available concurrency metric.
+	AvailableConcurrencyKey = "AvailableConcurrency"
+)
+
+// MetricPublisher provides the interface to provide custom MetricPublishers.
+// PostRequestMetrics will be invoked by the MetricCollection middleware to post request.
+// PostStreamMetrics will be invoked by ReadCloserWithMetrics to post stream metrics.
+type MetricPublisher interface {
+	PostRequestMetrics(*MetricData) error
+	PostStreamMetrics(*MetricData) error
+}
+
+// Serializer provides the interface to provide custom Serializers.
+// Serialize will transform any input object in its corresponding string representation.
+type Serializer interface {
+	Serialize(obj interface{}) (string, error)
+}
+
+// DefaultSerializer is an implementation of the Serializer interface.
+type DefaultSerializer struct{}
+
+// Serialize uses the default JSON serializer to obtain the string representation of an object.
+func (DefaultSerializer) Serialize(obj interface{}) (string, error) {
+	bytes, err := json.Marshal(obj)
+	if err != nil {
+		return "", err
+	}
+	return string(bytes), nil
+}
+
+type metricContextKey struct{}
+
+// MetricContext contains fields to store metric-related information.
+type MetricContext struct {
+	connectionCounter *SharedConnectionCounter
+	publisher         MetricPublisher
+	data              *MetricData
+}
+
+// MetricData stores the collected metric data.
+type MetricData struct {
+	RequestStartTime           time.Time
+	RequestEndTime             time.Time
+	APICallDuration            time.Duration
+	SerializeStartTime         time.Time
+	SerializeEndTime           time.Time
+	MarshallingDuration        time.Duration
+	ResolveEndpointStartTime   time.Time
+	ResolveEndpointEndTime     time.Time
+	EndpointResolutionDuration time.Duration
+	InThroughput               float64
+	OutThroughput              float64
+	RetryCount                 int
+	Success                    uint8
+	StatusCode                 int
+	ClientRequestID            string
+	ServiceID                  string
+	OperationName              string
+	PartitionID                string
+	Region                     string
+	RequestContentLength       int64
+	Stream                     StreamMetrics
+	Attempts                   []AttemptMetrics
+}
+
+// StreamMetrics stores metrics related to streaming data.
+type StreamMetrics struct {
+	ReadDuration time.Duration
+	ReadBytes    int64
+	Throughput   float64
+}
+
+// AttemptMetrics stores metrics related to individual attempts.
+type AttemptMetrics struct {
+	ServiceCallStart           time.Time
+	ServiceCallEnd             time.Time
+	ServiceCallDuration        time.Duration
+	FirstByteTime              time.Time
+	TimeToFirstByte            time.Duration
+	ConnRequestedTime          time.Time
+	ConnObtainedTime           time.Time
+	ConcurrencyAcquireDuration time.Duration
+	CredentialFetchStartTime   time.Time
+	CredentialFetchEndTime     time.Time
+	SignStartTime              time.Time
+	SignEndTime                time.Time
+	SigningDuration            time.Duration
+	DeserializeStartTime       time.Time
+	DeserializeEndTime         time.Time
+	UnMarshallingDuration      time.Duration
+	RetryDelay                 time.Duration
+	ResponseContentLength      int64
+	StatusCode                 int
+	RequestID                  string
+	ExtendedRequestID          string
+	HTTPClient                 string
+	MaxConcurrency             int
+	PendingConnectionAcquires  int
+	AvailableConcurrency       int
+	ActiveRequests             int
+	ReusedConnection           bool
+}
+
+// Data returns the MetricData associated with the MetricContext.
+func (mc *MetricContext) Data() *MetricData {
+	return mc.data
+}
+
+// ConnectionCounter returns the SharedConnectionCounter associated with the MetricContext.
+func (mc *MetricContext) ConnectionCounter() *SharedConnectionCounter {
+	return mc.connectionCounter
+}
+
+// Publisher returns the MetricPublisher associated with the MetricContext.
+func (mc *MetricContext) Publisher() MetricPublisher {
+	return mc.publisher
+}
+
+// ComputeRequestMetrics calculates and populates derived metrics based on the collected data.
+func (md *MetricData) ComputeRequestMetrics() {
+
+	for idx := range md.Attempts {
+		attempt := &md.Attempts[idx]
+		attempt.ConcurrencyAcquireDuration = attempt.ConnObtainedTime.Sub(attempt.ConnRequestedTime)
+		attempt.SigningDuration = attempt.SignEndTime.Sub(attempt.SignStartTime)
+		attempt.UnMarshallingDuration = attempt.DeserializeEndTime.Sub(attempt.DeserializeStartTime)
+		attempt.TimeToFirstByte = attempt.FirstByteTime.Sub(attempt.ServiceCallStart)
+		attempt.ServiceCallDuration = attempt.ServiceCallEnd.Sub(attempt.ServiceCallStart)
+	}
+
+	md.APICallDuration = md.RequestEndTime.Sub(md.RequestStartTime)
+	md.MarshallingDuration = md.SerializeEndTime.Sub(md.SerializeStartTime)
+	md.EndpointResolutionDuration = md.ResolveEndpointEndTime.Sub(md.ResolveEndpointStartTime)
+
+	md.RetryCount = len(md.Attempts) - 1
+
+	latestAttempt, err := md.LatestAttempt()
+
+	if err != nil {
+		fmt.Printf("error retrieving attempts data due to: %s. Skipping Throughput metrics", err.Error())
+	} else {
+
+		md.StatusCode = latestAttempt.StatusCode
+
+		if md.Success == 1 {
+			if latestAttempt.ResponseContentLength > 0 && latestAttempt.ServiceCallDuration > 0 {
+				md.InThroughput = float64(latestAttempt.ResponseContentLength) / latestAttempt.ServiceCallDuration.Seconds()
+			}
+			if md.RequestContentLength > 0 && latestAttempt.ServiceCallDuration > 0 {
+				md.OutThroughput = float64(md.RequestContentLength) / latestAttempt.ServiceCallDuration.Seconds()
+			}
+		}
+	}
+}
+
+// LatestAttempt returns the latest attempt metrics.
+// It returns an error if no attempts are initialized.
+func (md *MetricData) LatestAttempt() (*AttemptMetrics, error) {
+	if md.Attempts == nil || len(md.Attempts) == 0 {
+		return nil, fmt.Errorf("no attempts initialized. NewAttempt() should be called first")
+	}
+	return &md.Attempts[len(md.Attempts)-1], nil
+}
+
+// NewAttempt initializes new attempt metrics.
+func (md *MetricData) NewAttempt() {
+	if md.Attempts == nil {
+		md.Attempts = []AttemptMetrics{}
+	}
+	md.Attempts = append(md.Attempts, AttemptMetrics{})
+}
+
+// SharedConnectionCounter is a counter shared across API calls.
+type SharedConnectionCounter struct {
+	mu sync.Mutex
+
+	activeRequests           int
+	pendingConnectionAcquire int
+}
+
+// ActiveRequests returns the count of active requests.
+func (cc *SharedConnectionCounter) ActiveRequests() int {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+
+	return cc.activeRequests
+}
+
+// PendingConnectionAcquire returns the count of pending connection acquires.
+func (cc *SharedConnectionCounter) PendingConnectionAcquire() int {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+
+	return cc.pendingConnectionAcquire
+}
+
+// AddActiveRequest increments the count of active requests.
+func (cc *SharedConnectionCounter) AddActiveRequest() {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+
+	cc.activeRequests++
+}
+
+// RemoveActiveRequest decrements the count of active requests.
+func (cc *SharedConnectionCounter) RemoveActiveRequest() {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+
+	cc.activeRequests--
+}
+
+// AddPendingConnectionAcquire increments the count of pending connection acquires.
+func (cc *SharedConnectionCounter) AddPendingConnectionAcquire() {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+
+	cc.pendingConnectionAcquire++
+}
+
+// RemovePendingConnectionAcquire decrements the count of pending connection acquires.
+func (cc *SharedConnectionCounter) RemovePendingConnectionAcquire() {
+	cc.mu.Lock()
+	defer cc.mu.Unlock()
+
+	cc.pendingConnectionAcquire--
+}
+
+// InitMetricContext initializes the metric context with the provided counter and publisher.
+// It returns the updated context.
+func InitMetricContext(
+	ctx context.Context, counter *SharedConnectionCounter, publisher MetricPublisher,
+) context.Context {
+	if middleware.GetStackValue(ctx, metricContextKey{}) == nil {
+		ctx = middleware.WithStackValue(ctx, metricContextKey{}, &MetricContext{
+			connectionCounter: counter,
+			publisher:         publisher,
+			data: &MetricData{
+				Attempts: []AttemptMetrics{},
+				Stream:   StreamMetrics{},
+			},
+		})
+	}
+	return ctx
+}
+
+// Context returns the metric context from the given context.
+// It returns nil if the metric context is not found.
+func Context(ctx context.Context) *MetricContext {
+	mctx := middleware.GetStackValue(ctx, metricContextKey{})
+	if mctx == nil {
+		return nil
+	}
+	return mctx.(*MetricContext)
+}

vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/recursion_detection.go

@@ -0,0 +1,94 @@
+package middleware
+
+import (
+	"context"
+	"fmt"
+	"github.com/aws/smithy-go/middleware"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
+	"os"
+)
+
+const envAwsLambdaFunctionName = "AWS_LAMBDA_FUNCTION_NAME"
+const envAmznTraceID = "_X_AMZN_TRACE_ID"
+const amznTraceIDHeader = "X-Amzn-Trace-Id"
+
+// AddRecursionDetection adds recursionDetection to the middleware stack
+func AddRecursionDetection(stack *middleware.Stack) error {
+	return stack.Build.Add(&RecursionDetection{}, middleware.After)
+}
+
+// RecursionDetection detects Lambda environment and sets its X-Ray trace ID to request header if absent
+// to avoid recursion invocation in Lambda
+type RecursionDetection struct{}
+
+// ID returns the middleware identifier
+func (m *RecursionDetection) ID() string {
+	return "RecursionDetection"
+}
+
+// HandleBuild detects Lambda environment and adds its trace ID to request header if absent
+func (m *RecursionDetection) HandleBuild(
+	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+) (
+	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+) {
+	req, ok := in.Request.(*smithyhttp.Request)
+	if !ok {
+		return out, metadata, fmt.Errorf("unknown request type %T", req)
+	}
+
+	_, hasLambdaEnv := os.LookupEnv(envAwsLambdaFunctionName)
+	xAmznTraceID, hasTraceID := os.LookupEnv(envAmznTraceID)
+	value := req.Header.Get(amznTraceIDHeader)
+	// only set the X-Amzn-Trace-Id header when it is not set initially, the
+	// current environment is Lambda and the _X_AMZN_TRACE_ID env variable exists
+	if value != "" || !hasLambdaEnv || !hasTraceID {
+		return next.HandleBuild(ctx, in)
+	}
+
+	req.Header.Set(amznTraceIDHeader, percentEncode(xAmznTraceID))
+	return next.HandleBuild(ctx, in)
+}
+
+func percentEncode(s string) string {
+	upperhex := "0123456789ABCDEF"
+	hexCount := 0
+	for i := 0; i < len(s); i++ {
+		c := s[i]
+		if shouldEncode(c) {
+			hexCount++
+		}
+	}
+
+	if hexCount == 0 {
+		return s
+	}
+
+	required := len(s) + 2*hexCount
+	t := make([]byte, required)
+	j := 0
+	for i := 0; i < len(s); i++ {
+		if c := s[i]; shouldEncode(c) {
+			t[j] = '%'
+			t[j+1] = upperhex[c>>4]
+			t[j+2] = upperhex[c&15]
+			j += 3
+		} else {
+			t[j] = c
+			j++
+		}
+	}
+	return string(t)
+}
+
+func shouldEncode(c byte) bool {
+	if 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z' || '0' <= c && c <= '9' {
+		return false
+	}
+	switch c {
+	case '-', '=', ';', ':', '+', '&', '[', ']', '{', '}', '"', '\'', ',':
+		return false
+	default:
+		return true
+	}
+}

vendor/github.com/aws/aws-sdk-go-v2/aws/middleware/user_agent.go

@@ -59,6 +59,11 @@ func (k SDKAgentKeyType) string() string {
 
 const execEnvVar = `AWS_EXECUTION_ENV`
 
+var validChars = map[rune]bool{
+	'!': true, '#': true, '$': true, '%': true, '&': true, '\'': true, '*': true, '+': true,
+	'-': true, '.': true, '^': true, '_': true, '`': true, '|': true, '~': true,
+}
+
 // requestUserAgent is a build middleware that set the User-Agent for the request.
 type requestUserAgent struct {
 	sdkAgent, userAgent *smithyhttp.UserAgentBuilder
@@ -178,24 +183,24 @@ func getOrAddRequestUserAgent(stack *middleware.Stack) (*requestUserAgent, error
 
 // AddUserAgentKey adds the component identified by name to the User-Agent string.
 func (u *requestUserAgent) AddUserAgentKey(key string) {
-	u.userAgent.AddKey(key)
+	u.userAgent.AddKey(strings.Map(rules, key))
 }
 
 // AddUserAgentKeyValue adds the key identified by the given name and value to the User-Agent string.
 func (u *requestUserAgent) AddUserAgentKeyValue(key, value string) {
-	u.userAgent.AddKeyValue(key, value)
+	u.userAgent.AddKeyValue(strings.Map(rules, key), strings.Map(rules, value))
 }
 
 // AddUserAgentKey adds the component identified by name to the User-Agent string.
 func (u *requestUserAgent) AddSDKAgentKey(keyType SDKAgentKeyType, key string) {
 	// TODO: should target sdkAgent
-	u.userAgent.AddKey(keyType.string() + "/" + key)
+	u.userAgent.AddKey(keyType.string() + "/" + strings.Map(rules, key))
 }
 
 // AddUserAgentKeyValue adds the key identified by the given name and value to the User-Agent string.
 func (u *requestUserAgent) AddSDKAgentKeyValue(keyType SDKAgentKeyType, key, value string) {
 	// TODO: should target sdkAgent
-	u.userAgent.AddKeyValue(keyType.string()+"/"+key, value)
+	u.userAgent.AddKeyValue(keyType.string(), strings.Map(rules, key)+"#"+strings.Map(rules, value))
 }
 
 // ID the name of the middleware.
@@ -241,3 +246,16 @@ func updateHTTPHeader(request *smithyhttp.Request, header string, value string)
 	}
 	request.Header[header] = append(request.Header[header][:0], current)
 }
+
+func rules(r rune) rune {
+	switch {
+	case r >= '0' && r <= '9':
+		return r
+	case r >= 'A' && r <= 'Z' || r >= 'a' && r <= 'z':
+		return r
+	case validChars[r]:
+		return r
+	default:
+		return '-'
+	}
+}

vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/object.go

@@ -41,6 +41,12 @@ func (o *Object) Key(name string) Value {
 	return o.key(name, false)
 }
 
+// KeyWithValues adds the given named key to the Query object.
+// Returns a Value encoder that should be used to encode a Query list of values.
+func (o *Object) KeyWithValues(name string) Value {
+	return o.keyWithValues(name, false)
+}
+
 // FlatKey adds the given named key to the Query object.
 // Returns a Value encoder that should be used to encode a Query value type. The
 // value will be flattened if it is a map or array.
@@ -54,3 +60,10 @@ func (o *Object) key(name string, flatValue bool) Value {
 	}
 	return newValue(o.values, name, flatValue)
 }
+
+func (o *Object) keyWithValues(name string, flatValue bool) Value {
+	if o.prefix != "" {
+		return newAppendValue(o.values, fmt.Sprintf("%s.%s", o.prefix, name), flatValue)
+	}
+	return newAppendValue(o.values, name, flatValue)
+}

vendor/github.com/aws/aws-sdk-go-v2/aws/protocol/query/value.go

@@ -27,6 +27,15 @@ func newValue(values url.Values, key string, flat bool) Value {
 	}
 }
 
+func newAppendValue(values url.Values, key string, flat bool) Value {
+	return Value{
+		values:     values,
+		key:        key,
+		flat:       flat,
+		queryValue: httpbinding.NewQueryValue(values, key, true),
+	}
+}
+
 func newBaseValue(values url.Values) Value {
 	return Value{
 		values:     values,

vendor/github.com/aws/aws-sdk-go-v2/aws/retry/middleware.go

@@ -3,6 +3,7 @@ package retry
 import (
 	"context"
 	"fmt"
+	"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
 	"strconv"
 	"strings"
 	"time"
@@ -225,6 +226,13 @@ func (r *Attempt) handleAttempt(
 	// that time. Potentially early exist if the sleep is canceled via the
 	// context.
 	retryDelay, reqErr := r.retryer.RetryDelay(attemptNum, err)
+	mctx := metrics.Context(ctx)
+	if mctx != nil {
+		attempt, err := mctx.Data().LatestAttempt()
+		if err != nil {
+			attempt.RetryDelay = retryDelay
+		}
+	}
 	if reqErr != nil {
 		return out, attemptResult, releaseRetryToken, reqErr
 	}
@@ -320,10 +328,12 @@ func AddRetryMiddlewares(stack *smithymiddle.Stack, options AddRetryMiddlewaresO
 		middleware.LogAttempts = options.LogRetryAttempts
 	})
 
-	if err := stack.Finalize.Add(attempt, smithymiddle.After); err != nil {
+	// index retry to before signing, if signing exists
+	if err := stack.Finalize.Insert(attempt, "Signing", smithymiddle.Before); err != nil {
 		return err
 	}
-	if err := stack.Finalize.Add(&MetricsHeader{}, smithymiddle.After); err != nil {
+
+	if err := stack.Finalize.Insert(&MetricsHeader{}, attempt.ID(), smithymiddle.After); err != nil {
 		return err
 	}
 	return nil

vendor/github.com/aws/aws-sdk-go-v2/aws/retry/retryable_error.go

@@ -95,6 +95,21 @@ func (r RetryableConnectionError) IsErrorRetryable(err error) aws.Ternary {
 	var timeoutErr interface{ Timeout() bool }
 	var urlErr *url.Error
 	var netOpErr *net.OpError
+	var dnsError *net.DNSError
+
+	if errors.As(err, &dnsError) {
+		// NXDOMAIN errors should not be retried
+		if dnsError.IsNotFound {
+			return aws.BoolTernary(false)
+		}
+
+		// if !dnsError.Temporary(), error may or may not be temporary,
+		// (i.e. !Temporary() =/=> !retryable) so we should fall through to
+		// remaining checks
+		if dnsError.Temporary() {
+			return aws.BoolTernary(true)
+		}
+	}
 
 	switch {
 	case errors.As(err, &conErr) && conErr.ConnectionError():

vendor/github.com/aws/aws-sdk-go-v2/aws/retryer.go

@@ -54,7 +54,7 @@ type Retryer interface {
 	MaxAttempts() int
 
 	// RetryDelay returns the delay that should be used before retrying the
-	// attempt. Will return error if the if the delay could not be determined.
+	// attempt. Will return error if the delay could not be determined.
 	RetryDelay(attempt int, opErr error) (time.Duration, error)
 
 	// GetRetryToken attempts to deduct the retry cost from the retry token pool.

vendor/github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4/headers.go

@@ -7,6 +7,7 @@ var IgnoredHeaders = Rules{
 			"Authorization":   struct{}{},
 			"User-Agent":      struct{}{},
 			"X-Amzn-Trace-Id": struct{}{},
+			"Expect":          struct{}{},
 		},
 	},
 }
@@ -37,6 +38,7 @@ var RequiredSignedHeaders = Rules{
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key":       struct{}{},
 			"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5":   struct{}{},
+			"X-Amz-Expected-Bucket-Owner":                                 struct{}{},
 			"X-Amz-Grant-Full-control":                                    struct{}{},
 			"X-Amz-Grant-Read":                                            struct{}{},
 			"X-Amz-Grant-Read-Acp":                                        struct{}{},
@@ -47,6 +49,7 @@ var RequiredSignedHeaders = Rules{
 			"X-Amz-Request-Payer":                                         struct{}{},
 			"X-Amz-Server-Side-Encryption":                                struct{}{},
 			"X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id":                 struct{}{},
+			"X-Amz-Server-Side-Encryption-Context":                        struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Algorithm":             struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Key":                   struct{}{},
 			"X-Amz-Server-Side-Encryption-Customer-Key-Md5":               struct{}{},

vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/middleware.go

@@ -11,7 +11,9 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
+	"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
 	v4Internal "github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4"
+	internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
 	"github.com/aws/aws-sdk-go-v2/internal/sdk"
 	"github.com/aws/smithy-go/middleware"
 	smithyhttp "github.com/aws/smithy-go/transport/http"
@@ -57,7 +59,7 @@ func (e *SigningError) Unwrap() error {
 // S3 PutObject API allows unsigned payload signing auth usage when TLS is enabled, and uses this middleware to
 // dynamically switch between unsigned and signed payload based on TLS state for request.
 func UseDynamicPayloadSigningMiddleware(stack *middleware.Stack) error {
-	_, err := stack.Build.Swap(computePayloadHashMiddlewareID, &dynamicPayloadSigningMiddleware{})
+	_, err := stack.Finalize.Swap(computePayloadHashMiddlewareID, &dynamicPayloadSigningMiddleware{})
 	return err
 }
 
@@ -70,24 +72,22 @@ func (m *dynamicPayloadSigningMiddleware) ID() string {
 	return computePayloadHashMiddlewareID
 }
 
-// HandleBuild sets a resolver that directs to the payload sha256 compute handler.
-func (m *dynamicPayloadSigningMiddleware) HandleBuild(
-	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+// HandleFinalize delegates SHA256 computation according to whether the request
+// is TLS-enabled.
+func (m *dynamicPayloadSigningMiddleware) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
 ) (
-	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
 	req, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, fmt.Errorf("unknown transport type %T", in.Request)
 	}
 
-	// if TLS is enabled, use unsigned payload when supported
 	if req.IsHTTPS() {
-		return (&unsignedPayload{}).HandleBuild(ctx, in, next)
+		return (&unsignedPayload{}).HandleFinalize(ctx, in, next)
 	}
-
-	// else fall back to signed payload
-	return (&computePayloadSHA256{}).HandleBuild(ctx, in, next)
+	return (&computePayloadSHA256{}).HandleFinalize(ctx, in, next)
 }
 
 // unsignedPayload sets the SigV4 request payload hash to unsigned.
@@ -103,7 +103,7 @@ type unsignedPayload struct{}
 // AddUnsignedPayloadMiddleware adds unsignedPayload to the operation
 // middleware stack
 func AddUnsignedPayloadMiddleware(stack *middleware.Stack) error {
-	return stack.Build.Add(&unsignedPayload{}, middleware.After)
+	return stack.Finalize.Insert(&unsignedPayload{}, "ResolveEndpointV2", middleware.After)
 }
 
 // ID returns the unsignedPayload identifier
@@ -111,23 +111,16 @@ func (m *unsignedPayload) ID() string {
 	return computePayloadHashMiddlewareID
 }
 
-// HandleBuild sets the payload hash to be an unsigned payload
-func (m *unsignedPayload) HandleBuild(
-	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+// HandleFinalize sets the payload hash magic value to the unsigned sentinel.
+func (m *unsignedPayload) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
 ) (
-	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
-	// This should not compute the content SHA256 if the value is already
-	// known. (e.g. application pre-computed SHA256 before making API call).
-	// Does not have any tight coupling to the X-Amz-Content-Sha256 header, if
-	// that header is provided a middleware must translate it into the context.
-	contentSHA := GetPayloadHash(ctx)
-	if len(contentSHA) == 0 {
-		contentSHA = v4Internal.UnsignedPayload
+	if GetPayloadHash(ctx) == "" {
+		ctx = SetPayloadHash(ctx, v4Internal.UnsignedPayload)
 	}
-
-	ctx = SetPayloadHash(ctx, contentSHA)
-	return next.HandleBuild(ctx, in)
+	return next.HandleFinalize(ctx, in)
 }
 
 // computePayloadSHA256 computes SHA256 payload hash to sign.
@@ -143,13 +136,13 @@ type computePayloadSHA256 struct{}
 // AddComputePayloadSHA256Middleware adds computePayloadSHA256 to the
 // operation middleware stack
 func AddComputePayloadSHA256Middleware(stack *middleware.Stack) error {
-	return stack.Build.Add(&computePayloadSHA256{}, middleware.After)
+	return stack.Finalize.Insert(&computePayloadSHA256{}, "ResolveEndpointV2", middleware.After)
 }
 
 // RemoveComputePayloadSHA256Middleware removes computePayloadSHA256 from the
 // operation middleware stack
 func RemoveComputePayloadSHA256Middleware(stack *middleware.Stack) error {
-	_, err := stack.Build.Remove(computePayloadHashMiddlewareID)
+	_, err := stack.Finalize.Remove(computePayloadHashMiddlewareID)
 	return err
 }
 
@@ -158,12 +151,17 @@ func (m *computePayloadSHA256) ID() string {
 	return computePayloadHashMiddlewareID
 }
 
-// HandleBuild compute the payload hash for the request payload
-func (m *computePayloadSHA256) HandleBuild(
-	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+// HandleFinalize computes the payload hash for the request, storing it to the
+// context. This is a no-op if a caller has previously set that value.
+func (m *computePayloadSHA256) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
 ) (
-	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
+	if GetPayloadHash(ctx) != "" {
+		return next.HandleFinalize(ctx, in)
+	}
+
 	req, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
 		return out, metadata, &HashComputationError{
@@ -171,14 +169,6 @@ func (m *computePayloadSHA256) HandleBuild(
 		}
 	}
 
-	// This should not compute the content SHA256 if the value is already
-	// known. (e.g. application pre-computed SHA256 before making API call)
-	// Does not have any tight coupling to the X-Amz-Content-Sha256 header, if
-	// that header is provided a middleware must translate it into the context.
-	if contentSHA := GetPayloadHash(ctx); len(contentSHA) != 0 {
-		return next.HandleBuild(ctx, in)
-	}
-
 	hash := sha256.New()
 	if stream := req.GetStream(); stream != nil {
 		_, err = io.Copy(hash, stream)
@@ -197,7 +187,7 @@ func (m *computePayloadSHA256) HandleBuild(
 
 	ctx = SetPayloadHash(ctx, hex.EncodeToString(hash.Sum(nil)))
 
-	return next.HandleBuild(ctx, in)
+	return next.HandleFinalize(ctx, in)
 }
 
 // SwapComputePayloadSHA256ForUnsignedPayloadMiddleware replaces the
@@ -206,7 +196,7 @@ func (m *computePayloadSHA256) HandleBuild(
 // Use this to disable computing the Payload SHA256 checksum and instead use
 // UNSIGNED-PAYLOAD for the SHA256 value.
 func SwapComputePayloadSHA256ForUnsignedPayloadMiddleware(stack *middleware.Stack) error {
-	_, err := stack.Build.Swap(computePayloadHashMiddlewareID, &unsignedPayload{})
+	_, err := stack.Finalize.Swap(computePayloadHashMiddlewareID, &unsignedPayload{})
 	return err
 }
 
@@ -217,13 +207,13 @@ type contentSHA256Header struct{}
 // AddContentSHA256HeaderMiddleware adds ContentSHA256Header to the
 // operation middleware stack
 func AddContentSHA256HeaderMiddleware(stack *middleware.Stack) error {
-	return stack.Build.Insert(&contentSHA256Header{}, computePayloadHashMiddlewareID, middleware.After)
+	return stack.Finalize.Insert(&contentSHA256Header{}, computePayloadHashMiddlewareID, middleware.After)
 }
 
 // RemoveContentSHA256HeaderMiddleware removes contentSHA256Header middleware
 // from the operation middleware stack
 func RemoveContentSHA256HeaderMiddleware(stack *middleware.Stack) error {
-	_, err := stack.Build.Remove((*contentSHA256Header)(nil).ID())
+	_, err := stack.Finalize.Remove((*contentSHA256Header)(nil).ID())
 	return err
 }
 
@@ -232,12 +222,12 @@ func (m *contentSHA256Header) ID() string {
 	return "SigV4ContentSHA256Header"
 }
 
-// HandleBuild sets the X-Amz-Content-Sha256 header value to the Payload hash
+// HandleFinalize sets the X-Amz-Content-Sha256 header value to the Payload hash
 // stored in the context.
-func (m *contentSHA256Header) HandleBuild(
-	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+func (m *contentSHA256Header) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
 ) (
-	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
 	req, ok := in.Request.(*smithyhttp.Request)
 	if !ok {
@@ -245,25 +235,35 @@ func (m *contentSHA256Header) HandleBuild(
 	}
 
 	req.Header.Set(v4Internal.ContentSHAKey, GetPayloadHash(ctx))
-
-	return next.HandleBuild(ctx, in)
+	return next.HandleFinalize(ctx, in)
 }
 
-// SignHTTPRequestMiddlewareOptions is the configuration options for the SignHTTPRequestMiddleware middleware.
+// SignHTTPRequestMiddlewareOptions is the configuration options for
+// [SignHTTPRequestMiddleware].
+//
+// Deprecated: [SignHTTPRequestMiddleware] is deprecated.
 type SignHTTPRequestMiddlewareOptions struct {
 	CredentialsProvider aws.CredentialsProvider
 	Signer              HTTPSigner
 	LogSigning          bool
 }
 
-// SignHTTPRequestMiddleware is a `FinalizeMiddleware` implementation for SigV4 HTTP Signing
+// SignHTTPRequestMiddleware is a `FinalizeMiddleware` implementation for SigV4
+// HTTP Signing.
+//
+// Deprecated: AWS service clients no longer use this middleware. Signing as an
+// SDK operation is now performed through an internal per-service middleware
+// which opaquely selects and uses the signer from the resolved auth scheme.
 type SignHTTPRequestMiddleware struct {
 	credentialsProvider aws.CredentialsProvider
 	signer              HTTPSigner
 	logSigning          bool
 }
 
-// NewSignHTTPRequestMiddleware constructs a SignHTTPRequestMiddleware using the given Signer for signing requests
+// NewSignHTTPRequestMiddleware constructs a [SignHTTPRequestMiddleware] using
+// the given [Signer] for signing requests.
+//
+// Deprecated: SignHTTPRequestMiddleware is deprecated.
 func NewSignHTTPRequestMiddleware(options SignHTTPRequestMiddlewareOptions) *SignHTTPRequestMiddleware {
 	return &SignHTTPRequestMiddleware{
 		credentialsProvider: options.CredentialsProvider,
@@ -272,12 +272,17 @@ func NewSignHTTPRequestMiddleware(options SignHTTPRequestMiddlewareOptions) *Sig
 	}
 }
 
-// ID is the SignHTTPRequestMiddleware identifier
+// ID is the SignHTTPRequestMiddleware identifier.
+//
+// Deprecated: SignHTTPRequestMiddleware is deprecated.
 func (s *SignHTTPRequestMiddleware) ID() string {
 	return "Signing"
 }
 
-// HandleFinalize will take the provided input and sign the request using the SigV4 authentication scheme
+// HandleFinalize will take the provided input and sign the request using the
+// SigV4 authentication scheme.
+//
+// Deprecated: SignHTTPRequestMiddleware is deprecated.
 func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
 	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
@@ -296,16 +301,56 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
 		return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")}
 	}
 
+	mctx := metrics.Context(ctx)
+
+	if mctx != nil {
+		if attempt, err := mctx.Data().LatestAttempt(); err == nil {
+			attempt.CredentialFetchStartTime = sdk.NowTime()
+		}
+	}
+
 	credentials, err := s.credentialsProvider.Retrieve(ctx)
+
+	if mctx != nil {
+		if attempt, err := mctx.Data().LatestAttempt(); err == nil {
+			attempt.CredentialFetchEndTime = sdk.NowTime()
+		}
+	}
+
 	if err != nil {
 		return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)}
 	}
 
-	err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, signingRegion, sdk.NowTime(),
+	signerOptions := []func(o *SignerOptions){
 		func(o *SignerOptions) {
 			o.Logger = middleware.GetLogger(ctx)
 			o.LogSigning = s.logSigning
+		},
+	}
+
+	// existing DisableURIPathEscaping is equivalent in purpose
+	// to authentication scheme property DisableDoubleEncoding
+	disableDoubleEncoding, overridden := internalauth.GetDisableDoubleEncoding(ctx)
+	if overridden {
+		signerOptions = append(signerOptions, func(o *SignerOptions) {
+			o.DisableURIPathEscaping = disableDoubleEncoding
 		})
+	}
+
+	if mctx != nil {
+		if attempt, err := mctx.Data().LatestAttempt(); err == nil {
+			attempt.SignStartTime = sdk.NowTime()
+		}
+	}
+
+	err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, signingRegion, sdk.NowTime(), signerOptions...)
+
+	if mctx != nil {
+		if attempt, err := mctx.Data().LatestAttempt(); err == nil {
+			attempt.SignEndTime = sdk.NowTime()
+		}
+	}
+
 	if err != nil {
 		return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)}
 	}
@@ -319,17 +364,17 @@ type streamingEventsPayload struct{}
 
 // AddStreamingEventsPayload adds the streamingEventsPayload middleware to the stack.
 func AddStreamingEventsPayload(stack *middleware.Stack) error {
-	return stack.Build.Add(&streamingEventsPayload{}, middleware.After)
+	return stack.Finalize.Add(&streamingEventsPayload{}, middleware.Before)
 }
 
 func (s *streamingEventsPayload) ID() string {
 	return computePayloadHashMiddlewareID
 }
 
-func (s *streamingEventsPayload) HandleBuild(
-	ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
+func (s *streamingEventsPayload) HandleFinalize(
+	ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler,
 ) (
-	out middleware.BuildOutput, metadata middleware.Metadata, err error,
+	out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
 ) {
 	contentSHA := GetPayloadHash(ctx)
 	if len(contentSHA) == 0 {
@@ -338,7 +383,7 @@ func (s *streamingEventsPayload) HandleBuild(
 
 	ctx = SetPayloadHash(ctx, contentSHA)
 
-	return next.HandleBuild(ctx, in)
+	return next.HandleFinalize(ctx, in)
 }
 
 // GetSignedRequestSignature attempts to extract the signature of the request.

vendor/github.com/aws/aws-sdk-go-v2/aws/signer/v4/v4.go

@@ -68,6 +68,9 @@ import (
 const (
 	signingAlgorithm    = "AWS4-HMAC-SHA256"
 	authorizationHeader = "Authorization"
+
+	// Version of signing v4
+	Version = "SigV4"
 )
 
 // HTTPSigner is an interface to a SigV4 signer that can sign HTTP requests
@@ -103,6 +106,11 @@ type SignerOptions struct {
 	// This will enable logging of the canonical request, the string to sign, and for presigning the subsequent
 	// presigned URL.
 	LogSigning bool
+
+	// Disables setting the session token on the request as part of signing
+	// through X-Amz-Security-Token. This is needed for variations of v4 that
+	// present the token elsewhere.
+	DisableSessionToken bool
 }
 
 // Signer applies AWS v4 signing to given request. Use this to sign requests
@@ -136,6 +144,7 @@ type httpSigner struct {
 
 	DisableHeaderHoisting  bool
 	DisableURIPathEscaping bool
+	DisableSessionToken    bool
 }
 
 func (s *httpSigner) Build() (signedRequest, error) {
@@ -284,6 +293,7 @@ func (s Signer) SignHTTP(ctx context.Context, credentials aws.Credentials, r *ht
 		Time:                   v4Internal.NewSigningTime(signingTime.UTC()),
 		DisableHeaderHoisting:  options.DisableHeaderHoisting,
 		DisableURIPathEscaping: options.DisableURIPathEscaping,
+		DisableSessionToken:    options.DisableSessionToken,
 		KeyDerivator:           s.keyDerivator,
 	}
 
@@ -335,7 +345,7 @@ func (s Signer) SignHTTP(ctx context.Context, credentials aws.Credentials, r *ht
 //
 //	expires := 20 * time.Minute
 //	query := req.URL.Query()
-//	query.Set("X-Amz-Expires", strconv.FormatInt(int64(expires/time.Second), 10)
+//	query.Set("X-Amz-Expires", strconv.FormatInt(int64(expires/time.Second), 10))
 //	req.URL.RawQuery = query.Encode()
 //
 // This method does not modify the provided request.
@@ -360,6 +370,7 @@ func (s *Signer) PresignHTTP(
 		IsPreSign:              true,
 		DisableHeaderHoisting:  options.DisableHeaderHoisting,
 		DisableURIPathEscaping: options.DisableURIPathEscaping,
+		DisableSessionToken:    options.DisableSessionToken,
 		KeyDerivator:           s.keyDerivator,
 	}
 
@@ -502,7 +513,8 @@ func (s *httpSigner) setRequiredSigningFields(headers http.Header, query url.Val
 
 	if s.IsPreSign {
 		query.Set(v4Internal.AmzAlgorithmKey, signingAlgorithm)
-		if sessionToken := s.Credentials.SessionToken; len(sessionToken) > 0 {
+		sessionToken := s.Credentials.SessionToken
+		if !s.DisableSessionToken && len(sessionToken) > 0 {
 			query.Set("X-Amz-Security-Token", sessionToken)
 		}
 
@@ -512,7 +524,7 @@ func (s *httpSigner) setRequiredSigningFields(headers http.Header, query url.Val
 
 	headers[v4Internal.AmzDateKey] = append(headers[v4Internal.AmzDateKey][:0], amzDate)
 
-	if len(s.Credentials.SessionToken) > 0 {
+	if !s.DisableSessionToken && len(s.Credentials.SessionToken) > 0 {
 		headers[v4Internal.AmzSecurityTokenKey] = append(headers[v4Internal.AmzSecurityTokenKey][:0], s.Credentials.SessionToken)
 	}
 }