aws-sdk-core 3.104.4 → 3.109.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core.rb +5 -3
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +19 -0
- data/lib/aws-sdk-core/errors.rb +5 -2
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +22 -7
- data/lib/aws-sdk-core/plugins/endpoint_pattern.rb +7 -6
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +1 -1
- data/lib/aws-sdk-core/shared_config.rb +33 -0
- data/lib/aws-sdk-core/sso_credentials.rb +116 -0
- data/lib/aws-sdk-sso.rb +55 -0
- data/lib/aws-sdk-sso/client.rb +548 -0
- data/lib/aws-sdk-sso/client_api.rb +190 -0
- data/lib/aws-sdk-sso/customizations.rb +1 -0
- data/lib/aws-sdk-sso/errors.rb +102 -0
- data/lib/aws-sdk-sso/plugins/content_type.rb +25 -0
- data/lib/aws-sdk-sso/resource.rb +26 -0
- data/lib/aws-sdk-sso/types.rb +352 -0
- data/lib/aws-sdk-sts.rb +3 -2
- data/lib/aws-sdk-sts/client.rb +24 -9
- data/lib/aws-sdk-sts/client_api.rb +1 -0
- data/lib/aws-sdk-sts/types.rb +2 -2
- data/lib/seahorse/client/plugins/h2.rb +4 -1
- data/lib/seahorse/client/plugins/net_http.rb +4 -1
- data/lib/seahorse/util.rb +6 -1
- metadata +11 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dbf38b341cf731a1a9fae33006863d5bb82279c1df1ebe898bf610e6c0561eca
|
4
|
+
data.tar.gz: e7e782991bf3d640399a2654b0716496ccf6cbc5b4dd950772032e9999d2774d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c99c441bbc19e1316a61cdfb1292441a195802986bab00a473e7637ea4d911574a68bee4589989ac84e6e6587467a39a8670d71f640eb90f06d496bb03253415
|
7
|
+
data.tar.gz: '029b522c5c13d47b5e7af30b9f81c80c5057aacf2dfacb89ddfd5e09d992a335806a106615c7b9794966b537d93823f70ba9f65b76f3682d0283fdf19c67a4d7'
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.109.1
|
data/lib/aws-sdk-core.rb
CHANGED
@@ -18,9 +18,9 @@ require_relative 'aws-sdk-core/ecs_credentials'
|
|
18
18
|
require_relative 'aws-sdk-core/instance_profile_credentials'
|
19
19
|
require_relative 'aws-sdk-core/shared_credentials'
|
20
20
|
require_relative 'aws-sdk-core/process_credentials'
|
21
|
+
require_relative 'aws-sdk-core/sso_credentials'
|
21
22
|
|
22
23
|
# client modules
|
23
|
-
|
24
24
|
require_relative 'aws-sdk-core/client_stubs'
|
25
25
|
require_relative 'aws-sdk-core/async_client_stubs'
|
26
26
|
require_relative 'aws-sdk-core/eager_loader'
|
@@ -86,10 +86,12 @@ require_relative 'aws-sdk-core/client_side_monitoring/publisher'
|
|
86
86
|
require_relative 'aws-sdk-core/arn'
|
87
87
|
require_relative 'aws-sdk-core/arn_parser'
|
88
88
|
|
89
|
-
# aws-sdk-sts is
|
90
|
-
|
89
|
+
# aws-sdk-sts is included to support Aws::AssumeRoleCredentials
|
91
90
|
require 'aws-sdk-sts'
|
92
91
|
|
92
|
+
# aws-sdk-sso is included to support Aws::SSOCredentials
|
93
|
+
require 'aws-sdk-sso'
|
94
|
+
|
93
95
|
module Aws
|
94
96
|
|
95
97
|
CORE_GEM_VERSION = File.read(File.expand_path('../../VERSION', __FILE__)).strip
|
data/lib/aws-sdk-core/arn.rb
CHANGED
@@ -75,5 +75,18 @@ module Aws
|
|
75
75
|
def to_s
|
76
76
|
"arn:#{partition}:#{service}:#{region}:#{account_id}:#{resource}"
|
77
77
|
end
|
78
|
+
|
79
|
+
# Return the ARN as a hash
|
80
|
+
#
|
81
|
+
# @return [Hash]
|
82
|
+
def to_h
|
83
|
+
{
|
84
|
+
partition: @partition,
|
85
|
+
service: @service,
|
86
|
+
region: @region,
|
87
|
+
account_id: @account_id,
|
88
|
+
resource: @resource
|
89
|
+
}
|
90
|
+
end
|
78
91
|
end
|
79
92
|
end
|
@@ -22,11 +22,13 @@ module Aws
|
|
22
22
|
[
|
23
23
|
[:static_credentials, {}],
|
24
24
|
[:static_profile_assume_role_web_identity_credentials, {}],
|
25
|
+
[:static_profile_sso_credentials, {}],
|
25
26
|
[:static_profile_assume_role_credentials, {}],
|
26
27
|
[:static_profile_credentials, {}],
|
27
28
|
[:static_profile_process_credentials, {}],
|
28
29
|
[:env_credentials, {}],
|
29
30
|
[:assume_role_web_identity_credentials, {}],
|
31
|
+
[:sso_credentials, {}],
|
30
32
|
[:assume_role_credentials, {}],
|
31
33
|
[:shared_credentials, {}],
|
32
34
|
[:process_credentials, {}],
|
@@ -57,6 +59,14 @@ module Aws
|
|
57
59
|
end
|
58
60
|
end
|
59
61
|
|
62
|
+
def static_profile_sso_credentials(options)
|
63
|
+
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
64
|
+
Aws.shared_config.sso_credentials_from_config(
|
65
|
+
profile: options[:config].profile
|
66
|
+
)
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
60
70
|
def static_profile_assume_role_credentials(options)
|
61
71
|
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
62
72
|
assume_role_with_profile(options, options[:config].profile)
|
@@ -115,6 +125,15 @@ module Aws
|
|
115
125
|
nil
|
116
126
|
end
|
117
127
|
|
128
|
+
def sso_credentials(options)
|
129
|
+
profile_name = determine_profile_name(options)
|
130
|
+
if Aws.shared_config.config_enabled?
|
131
|
+
Aws.shared_config.sso_credentials_from_config(profile: profile_name)
|
132
|
+
end
|
133
|
+
rescue Errors::NoSuchProfileError
|
134
|
+
nil
|
135
|
+
end
|
136
|
+
|
118
137
|
def assume_role_credentials(options)
|
119
138
|
if Aws.shared_config.config_enabled?
|
120
139
|
assume_role_with_profile(options, determine_profile_name(options))
|
data/lib/aws-sdk-core/errors.rb
CHANGED
@@ -16,10 +16,10 @@ module Aws
|
|
16
16
|
# @param [Aws::Structure] data
|
17
17
|
def initialize(context, message, data = Aws::EmptyStructure.new)
|
18
18
|
@code = self.class.code
|
19
|
-
@message = message if message && !message.empty?
|
20
19
|
@context = context
|
21
20
|
@data = data
|
22
|
-
|
21
|
+
@message = message && !message.empty? ? message : self.class
|
22
|
+
super(@message)
|
23
23
|
end
|
24
24
|
|
25
25
|
# @return [String]
|
@@ -207,6 +207,9 @@ module Aws
|
|
207
207
|
# payload with either invalid version number or malformed contents
|
208
208
|
class InvalidProcessCredentialsPayload < RuntimeError; end
|
209
209
|
|
210
|
+
# Raised when SSO Credentials are invalid
|
211
|
+
class InvalidSSOCredentials < RuntimeError; end
|
212
|
+
|
210
213
|
# Raised when a client is constructed and region is not specified.
|
211
214
|
class MissingRegionError < ArgumentError
|
212
215
|
def initialize(*args)
|
@@ -30,13 +30,28 @@ following classes:
|
|
30
30
|
* `Aws::Credentials` - Used for configuring static, non-refreshing
|
31
31
|
credentials.
|
32
32
|
|
33
|
+
* `Aws::SharedCredentials` - Used for loading static credentials from a
|
34
|
+
shared file, such as `~/.aws/config`.
|
35
|
+
|
36
|
+
* `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
|
37
|
+
|
38
|
+
* `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
|
39
|
+
assume a role after providing credentials via the web.
|
40
|
+
|
41
|
+
* `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
|
42
|
+
access token generated from `aws login`.
|
43
|
+
|
44
|
+
* `Aws::ProcessCredentials` - Used for loading credentials from a
|
45
|
+
process that outputs to stdout.
|
46
|
+
|
33
47
|
* `Aws::InstanceProfileCredentials` - Used for loading credentials
|
34
48
|
from an EC2 IMDS on an EC2 instance.
|
35
49
|
|
36
|
-
* `Aws::
|
37
|
-
|
50
|
+
* `Aws::ECSCredentials` - Used for loading credentials from
|
51
|
+
instances running in ECS.
|
38
52
|
|
39
|
-
* `Aws::
|
53
|
+
* `Aws::CognitoIdentityCredentials` - Used for loading credentials
|
54
|
+
from the Cognito Identity service.
|
40
55
|
|
41
56
|
When `:credentials` are not configured directly, the following
|
42
57
|
locations will be searched for credentials:
|
@@ -46,10 +61,10 @@ locations will be searched for credentials:
|
|
46
61
|
* ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
|
47
62
|
* `~/.aws/credentials`
|
48
63
|
* `~/.aws/config`
|
49
|
-
* EC2 IMDS instance profile - When used by default, the timeouts
|
50
|
-
very aggressive. Construct and pass an instance of
|
51
|
-
`Aws::InstanceProfileCredentails`
|
52
|
-
timeouts.
|
64
|
+
* EC2/ECS IMDS instance profile - When used by default, the timeouts
|
65
|
+
are very aggressive. Construct and pass an instance of
|
66
|
+
`Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
67
|
+
enable retries and extended timeouts.
|
53
68
|
DOCS
|
54
69
|
) do |config|
|
55
70
|
CredentialProviderChain.new(config).resolve
|
@@ -15,17 +15,18 @@ to default service endpoint when available.
|
|
15
15
|
)
|
16
16
|
|
17
17
|
def add_handlers(handlers, config)
|
18
|
-
|
19
|
-
handlers.add(Handler, priority: 90)
|
20
|
-
end
|
18
|
+
handlers.add(Handler, priority: 10)
|
21
19
|
end
|
22
20
|
|
23
21
|
class Handler < Seahorse::Client::Handler
|
24
22
|
|
25
23
|
def call(context)
|
26
|
-
|
27
|
-
|
28
|
-
|
24
|
+
if context.config.regional_endpoint &&
|
25
|
+
!context.config.disable_host_prefix_injection
|
26
|
+
endpoint_trait = context.operation.endpoint_pattern
|
27
|
+
if endpoint_trait && !endpoint_trait.empty?
|
28
|
+
_apply_endpoint_trait(context, endpoint_trait)
|
29
|
+
end
|
29
30
|
end
|
30
31
|
@handler.call(context)
|
31
32
|
end
|
@@ -38,7 +38,7 @@ to test or custom endpoints. This should be a valid HTTP(S) URI.
|
|
38
38
|
end
|
39
39
|
|
40
40
|
# check region is a valid RFC host label
|
41
|
-
unless cfg.region
|
41
|
+
unless Seahorse::Util.host_label?(cfg.region)
|
42
42
|
raise Errors::InvalidRegionError
|
43
43
|
end
|
44
44
|
|
@@ -3,6 +3,8 @@
|
|
3
3
|
module Aws
|
4
4
|
# @api private
|
5
5
|
class SharedConfig
|
6
|
+
SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
|
7
|
+
|
6
8
|
# @return [String]
|
7
9
|
attr_reader :credentials_path
|
8
10
|
|
@@ -135,6 +137,18 @@ module Aws
|
|
135
137
|
end
|
136
138
|
end
|
137
139
|
|
140
|
+
# Attempts to load from shared config or shared credentials file.
|
141
|
+
# Will always attempt first to load from the shared credentials
|
142
|
+
# file, if present.
|
143
|
+
def sso_credentials_from_config(opts = {})
|
144
|
+
p = opts[:profile] || @profile_name
|
145
|
+
credentials = sso_credentials_from_profile(@parsed_credentials, p)
|
146
|
+
if @parsed_config
|
147
|
+
credentials ||= sso_credentials_from_profile(@parsed_config, p)
|
148
|
+
end
|
149
|
+
credentials
|
150
|
+
end
|
151
|
+
|
138
152
|
# Add an accessor method (similar to attr_reader) to return a configuration value
|
139
153
|
# Uses the get_config_value below to control where
|
140
154
|
# values are loaded from
|
@@ -146,6 +160,7 @@ module Aws
|
|
146
160
|
|
147
161
|
config_reader(
|
148
162
|
:region,
|
163
|
+
:ca_bundle,
|
149
164
|
:credential_process,
|
150
165
|
:endpoint_discovery_enabled,
|
151
166
|
:max_attempts,
|
@@ -237,6 +252,8 @@ module Aws
|
|
237
252
|
provider.credentials if provider.credentials.set?
|
238
253
|
elsif (provider = assume_role_process_credentials_from_config(profile))
|
239
254
|
provider.credentials if provider.credentials.set?
|
255
|
+
elsif (provider = sso_credentials_from_config(profile: profile))
|
256
|
+
provider.credentials if provider.credentials.set?
|
240
257
|
end
|
241
258
|
end
|
242
259
|
|
@@ -273,6 +290,22 @@ module Aws
|
|
273
290
|
end
|
274
291
|
end
|
275
292
|
|
293
|
+
# If any of the sso_ profile values are present, attempt to construct
|
294
|
+
# SSOCredentials
|
295
|
+
def sso_credentials_from_profile(cfg, profile)
|
296
|
+
if @parsed_config &&
|
297
|
+
(prof_config = cfg[profile]) &&
|
298
|
+
!(prof_config.keys & SSO_PROFILE_KEYS).empty?
|
299
|
+
|
300
|
+
SSOCredentials.new(
|
301
|
+
sso_start_url: prof_config['sso_start_url'],
|
302
|
+
sso_region: prof_config['sso_region'],
|
303
|
+
sso_account_id: prof_config['sso_account_id'],
|
304
|
+
sso_role_name: prof_config['sso_role_name']
|
305
|
+
)
|
306
|
+
end
|
307
|
+
end
|
308
|
+
|
276
309
|
def credentials_from_profile(prof_config)
|
277
310
|
creds = Credentials.new(
|
278
311
|
prof_config['aws_access_key_id'],
|
@@ -0,0 +1,116 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
# An auto-refreshing credential provider that works by assuming a
|
5
|
+
# role via {Aws::SSO::Client#get_role_credentials} using a cached access
|
6
|
+
# token. This class does NOT implement the SSO login token flow - tokens
|
7
|
+
# must generated and refreshed separately by running `aws login` with the
|
8
|
+
# correct profile.
|
9
|
+
#
|
10
|
+
# For more background on AWS SSO see the official
|
11
|
+
# [what is SSO](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html]
|
12
|
+
# page.
|
13
|
+
#
|
14
|
+
# ## Refreshing Credentials from SSO
|
15
|
+
#
|
16
|
+
# The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
|
17
|
+
# addition to AWS credentials expiring after a given amount of time, the
|
18
|
+
# access token generated and cached from `aws login` will also expire.
|
19
|
+
# Once this token expires, it will not be usable to refresh AWS credentials,
|
20
|
+
# and another token will be needed. The SDK does not manage refreshing of
|
21
|
+
# the token value, but this can be done by running `aws login` with the
|
22
|
+
# correct profile.
|
23
|
+
class SSOCredentials
|
24
|
+
|
25
|
+
include CredentialProvider
|
26
|
+
include RefreshingCredentials
|
27
|
+
|
28
|
+
SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
|
29
|
+
|
30
|
+
SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
|
31
|
+
'expired or is otherwise invalid. To refresh this SSO session run '\
|
32
|
+
'aws sso login with the corresponding profile.'.freeze
|
33
|
+
|
34
|
+
# @option options [required, String] :sso_account_id The AWS account ID
|
35
|
+
# that temporary AWS credentials will be resolved for
|
36
|
+
#
|
37
|
+
# @option options [required, String] :sso_region The AWS region where the
|
38
|
+
# SSO directory for the given sso_start_url is hosted.
|
39
|
+
#
|
40
|
+
# @option options [required, String] :sso_role_name The corresponding
|
41
|
+
# IAM role in the AWS account that temporary AWS credentials
|
42
|
+
# will be resolved for.
|
43
|
+
#
|
44
|
+
# @option options [required, String] :sso_start_url The start URL is
|
45
|
+
# provided by the SSO service via the console and is the URL used to
|
46
|
+
# login to the SSO directory. This is also sometimes referred to as
|
47
|
+
# the "User Portal URL"
|
48
|
+
|
49
|
+
# @option options [SSO::Client] :client Optional `SSO::Client`. If not
|
50
|
+
# provided, a client will be constructed.
|
51
|
+
def initialize(options = {})
|
52
|
+
|
53
|
+
missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
|
54
|
+
unless missing_keys.empty?
|
55
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
56
|
+
end
|
57
|
+
|
58
|
+
@sso_start_url = options.delete(:sso_start_url)
|
59
|
+
@sso_region = options.delete(:sso_region)
|
60
|
+
@sso_role_name = options.delete(:sso_role_name)
|
61
|
+
@sso_account_id = options.delete(:sso_account_id)
|
62
|
+
|
63
|
+
# validate we can read the token file
|
64
|
+
read_cached_token
|
65
|
+
|
66
|
+
options[:region] = @sso_region
|
67
|
+
options[:credentials] = nil
|
68
|
+
@client = options[:client] || SSO::Client.new(options)
|
69
|
+
super
|
70
|
+
end
|
71
|
+
|
72
|
+
# @return [STS::Client]
|
73
|
+
attr_reader :client
|
74
|
+
|
75
|
+
private
|
76
|
+
|
77
|
+
def read_cached_token
|
78
|
+
cached_token = Json.load(File.read(sso_cache_file))
|
79
|
+
# validation
|
80
|
+
unless cached_token['accessToken'] && cached_token['expiresAt']
|
81
|
+
raise ArgumentError, 'Missing required field(s)'
|
82
|
+
end
|
83
|
+
expires_at = DateTime.parse(cached_token['expiresAt'])
|
84
|
+
if expires_at < DateTime.now
|
85
|
+
raise ArgumentError, 'Cached SSO Token is expired.'
|
86
|
+
end
|
87
|
+
cached_token
|
88
|
+
rescue Aws::Json::ParseError, ArgumentError
|
89
|
+
raise Errors::InvalidSSOCredentials, SSO_LOGIN_GUIDANCE
|
90
|
+
end
|
91
|
+
|
92
|
+
def refresh
|
93
|
+
cached_token = read_cached_token
|
94
|
+
c = @client.get_role_credentials(
|
95
|
+
account_id: @sso_account_id,
|
96
|
+
role_name: @sso_role_name,
|
97
|
+
access_token: cached_token['accessToken']
|
98
|
+
).role_credentials
|
99
|
+
|
100
|
+
@credentials = Credentials.new(
|
101
|
+
c.access_key_id,
|
102
|
+
c.secret_access_key,
|
103
|
+
c.session_token
|
104
|
+
)
|
105
|
+
@expiration = c.expiration
|
106
|
+
end
|
107
|
+
|
108
|
+
def sso_cache_file
|
109
|
+
start_url_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_start_url.encode('utf-8'))
|
110
|
+
File.join(Dir.home, '.aws', 'sso', 'cache', "#{start_url_sha1}.json")
|
111
|
+
rescue ArgumentError
|
112
|
+
# Dir.home raises ArgumentError when ENV['home'] is not set
|
113
|
+
raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
|
114
|
+
end
|
115
|
+
end
|
116
|
+
end
|
data/lib/aws-sdk-sso.rb
ADDED
@@ -0,0 +1,55 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# WARNING ABOUT GENERATED CODE
|
4
|
+
#
|
5
|
+
# This file is generated. See the contributing guide for more information:
|
6
|
+
# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
|
7
|
+
#
|
8
|
+
# WARNING ABOUT GENERATED CODE
|
9
|
+
|
10
|
+
|
11
|
+
unless Module.const_defined?(:Aws)
|
12
|
+
require 'aws-sdk-core'
|
13
|
+
require 'aws-sigv4'
|
14
|
+
end
|
15
|
+
|
16
|
+
require_relative 'aws-sdk-sso/types'
|
17
|
+
require_relative 'aws-sdk-sso/client_api'
|
18
|
+
require_relative 'aws-sdk-sso/client'
|
19
|
+
require_relative 'aws-sdk-sso/errors'
|
20
|
+
require_relative 'aws-sdk-sso/resource'
|
21
|
+
require_relative 'aws-sdk-sso/customizations'
|
22
|
+
|
23
|
+
# This module provides support for AWS Single Sign-On. This module is available in the
|
24
|
+
# `aws-sdk-core` gem.
|
25
|
+
#
|
26
|
+
# # Client
|
27
|
+
#
|
28
|
+
# The {Client} class provides one method for each API operation. Operation
|
29
|
+
# methods each accept a hash of request parameters and return a response
|
30
|
+
# structure.
|
31
|
+
#
|
32
|
+
# sso = Aws::SSO::Client.new
|
33
|
+
# resp = sso.get_role_credentials(params)
|
34
|
+
#
|
35
|
+
# See {Client} for more information.
|
36
|
+
#
|
37
|
+
# # Errors
|
38
|
+
#
|
39
|
+
# Errors returned from AWS Single Sign-On are defined in the
|
40
|
+
# {Errors} module and all extend {Errors::ServiceError}.
|
41
|
+
#
|
42
|
+
# begin
|
43
|
+
# # do stuff
|
44
|
+
# rescue Aws::SSO::Errors::ServiceError
|
45
|
+
# # rescues all AWS Single Sign-On API errors
|
46
|
+
# end
|
47
|
+
#
|
48
|
+
# See {Errors} for more information.
|
49
|
+
#
|
50
|
+
# @!group service
|
51
|
+
module Aws::SSO
|
52
|
+
|
53
|
+
GEM_VERSION = '3.109.1'
|
54
|
+
|
55
|
+
end
|