aws-sdk-core 2.11.400 → 2.11.401

data/apis/lambda/2015-03-31/api-2.json

@@ -2061,10 +2061,13 @@
         "nodejs6.10",
         "nodejs8.10",
         "nodejs10.x",
+        "nodejs12.x",
         "java8",
+        "java11",
         "python2.7",
         "python3.6",
         "python3.7",
+        "python3.8",
         "dotnetcore1.0",
         "dotnetcore2.0",
         "dotnetcore2.1",

data/endpoints.json

@@ -2651,6 +2651,10 @@
       "qldb" : {
         "endpoints" : {
           "ap-northeast-1" : { },
+          "ap-northeast-2" : { },
+          "ap-southeast-1" : { },
+          "ap-southeast-2" : { },
+          "eu-central-1" : { },
           "eu-west-1" : { },
           "us-east-1" : { },
           "us-east-2" : { },
@@ -3326,6 +3330,10 @@
       "session.qldb" : {
         "endpoints" : {
           "ap-northeast-1" : { },
+          "ap-northeast-2" : { },
+          "ap-southeast-1" : { },
+          "ap-southeast-2" : { },
+          "eu-central-1" : { },
           "eu-west-1" : { },
           "us-east-1" : { },
           "us-east-2" : { },

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -11,6 +11,15 @@ module Aws
     # @api private
     class Non200Response < RuntimeError; end
 
+    # @api private
+    class TokenRetrivalError < RuntimeError; end
+
+    # @api private
+    class TokenExpiredError < RuntimeError; end
+
+    # @api private
+    class TokenRetrivalUnavailableError < RuntimeError; end
+
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -26,6 +35,14 @@ module Aws
       Non200Response,
     ]
 
+    # Path base for GET request for profile and credentials
+    # @api private
+    METADATA_PATH_BASE = '/latest/meta-data/iam/security-credentials/'
+
+    # Path for PUT request for token
+    # @api private
+    METADATA_TOKEN_PATH = '/latest/api/token'
+
     # @param [Hash] options
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
@@ -40,6 +57,8 @@ module Aws
     # @option options [IO] :http_debug_output (nil) HTTP wire
     #   traces are sent to this object.  You can specify something
     #   like $stdout.
+    # @option options [Integer] :token_ttl (21600) Time-to-Live in seconds for
+    #   EC2 Metadata Token used for fetching Metadata Profile Credentials.
     def initialize options = {}
       @retries = options[:retries] || 5
       @ip_address = options[:ip_address] || '169.254.169.254'
@@ -48,11 +67,13 @@ module Aws
       @http_read_timeout = options[:http_read_timeout] || 5
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
+      @token_ttl = options[:token_ttl] || 21600
       super
     end
 
-    # @return [Integer] The number of times to retry failed attempts to
-    #   fetch credentials from the instance metadata service. Defaults to 0.
+    # @return [Integer] Number of times to retry when retrieving credentials
+    #   from the instance metadata service. Defaults to 0 when resolving from
+    #   the default credential chain ({Aws::CredentialProviderChain}).
     attr_reader :retries
 
     private
@@ -93,9 +114,11 @@ module Aws
         begin
           retry_errors(NETWORK_ERRORS, max_retries: @retries) do
             open_connection do |conn|
-              path = '/latest/meta-data/iam/security-credentials/'
-              profile_name = http_get(conn, path).lines.first.strip
-              http_get(conn, path + profile_name)
+              _token_attempt(conn)
+              token_value = @token.value if token_set?
+              profile_name = http_get(conn, METADATA_PATH_BASE, token_value)
+                .lines.first.strip
+              http_get(conn, METADATA_PATH_BASE + profile_name, token_value)
             end
           end
         rescue
@@ -104,6 +127,28 @@ module Aws
       end
     end
 
+    def token_set?
+      @token && !@token.expired?
+    end
+
+    # attempt to fetch token with retries baked in
+    # would be skipped if token already set
+    def _token_attempt(conn)
+      begin
+        retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+          unless token_set?
+            token_value, ttl = http_put(conn, METADATA_TOKEN_PATH, @token_ttl)
+            @token = Token.new(token_value, ttl) if token_value && ttl
+          end
+        end
+      rescue *NETWORK_ERRORS, TokenRetrivalUnavailableError
+        # token attempt failed with allowable errors (those indicating
+        # token retrieval not available on the instance), reset token to
+        # allow safe failover to non-token mode
+        @token = nil
+      end
+    end
+
     def _metadata_disabled?
       flag = ENV["AWS_EC2_METADATA_DISABLED"]
       !flag.nil? && flag.downcase == "true"
@@ -118,10 +163,40 @@ module Aws
       yield(http).tap { http.finish }
     end
 
-    def http_get(connection, path)
-      response = connection.request(Net::HTTP::Get.new(path))
-      if response.code.to_i == 200
+    # GET request fetch profile and credentials
+    def http_get(connection, path, token=nil)
+      headers = {"User-Agent" => "aws-sdk-ruby2/#{VERSION}"}
+      headers["x-aws-ec2-metadata-token"] = token if token
+      response = connection.request(Net::HTTP::Get.new(path, headers))
+      case response.code.to_i
+      when 200
         response.body
+      when 401
+        raise TokenExpiredError
+      else
+        raise Non200Response
+      end
+    end
+
+    # PUT request fetch token with ttl
+    def http_put(connection, path, ttl)
+      headers = {
+        "User-Agent" => "aws-sdk-ruby2/#{VERSION}",
+        "x-aws-ec2-metadata-token-ttl-seconds" => ttl.to_s
+      }
+      response = connection.request(Net::HTTP::Put.new(path, headers))
+      case response.code.to_i
+      when 200
+        [
+          response.body,
+          response.header["x-aws-ec2-metadata-token-ttl-seconds"].to_i
+        ]
+      when 400
+        raise TokenRetrivalError
+      when 403
+      when 404
+      when 405
+        raise TokenRetrivalUnavailableError
       else
         raise Non200Response
       end
@@ -143,5 +218,24 @@ module Aws
       end
     end
 
+    # @api private
+    # Token used to fetch IMDS profile and credentials
+    class Token
+
+      def initialize(value, ttl)
+        @ttl = ttl
+        @value = value
+        @created_time = Time.now
+      end
+
+      # [String] token value
+      attr_reader :value
+
+      def expired?
+        Time.now - @created_time > @ttl
+      end
+
+    end
+
   end
 end

data/lib/aws-sdk-core/version.rb

@@ -1,3 +1,3 @@
 module Aws
-  VERSION = '2.11.400'
+  VERSION = '2.11.401'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 2.11.400
+  version: 2.11.401
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-18 00:00:00.000000000 Z
+date: 2019-11-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath