aws-sdk-core 3.104.4 → 3.111.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core.rb +7 -3
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +19 -0
- data/lib/aws-sdk-core/ec2_metadata.rb +218 -0
- data/lib/aws-sdk-core/errors.rb +5 -2
- data/lib/aws-sdk-core/json/json_engine.rb +3 -3
- data/lib/aws-sdk-core/json/oj_engine.rb +3 -3
- data/lib/aws-sdk-core/pageable_response.rb +2 -2
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +22 -7
- data/lib/aws-sdk-core/plugins/endpoint_pattern.rb +7 -6
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +1 -1
- data/lib/aws-sdk-core/plugins/retry_errors.rb +4 -3
- data/lib/aws-sdk-core/shared_config.rb +33 -0
- data/lib/aws-sdk-core/sso_credentials.rb +132 -0
- data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +0 -2
- data/lib/aws-sdk-core/xml/builder.rb +1 -1
- data/lib/aws-sdk-core/xml/parser.rb +5 -0
- data/lib/aws-sdk-core/xml/parser/engines/rexml.rb +8 -0
- data/lib/aws-sdk-sso.rb +55 -0
- data/lib/aws-sdk-sso/client.rb +548 -0
- data/lib/aws-sdk-sso/client_api.rb +190 -0
- data/lib/aws-sdk-sso/customizations.rb +1 -0
- data/lib/aws-sdk-sso/errors.rb +102 -0
- data/lib/aws-sdk-sso/plugins/content_type.rb +25 -0
- data/lib/aws-sdk-sso/resource.rb +26 -0
- data/lib/aws-sdk-sso/types.rb +352 -0
- data/lib/aws-sdk-sts.rb +7 -2
- data/lib/aws-sdk-sts/client.rb +24 -9
- data/lib/aws-sdk-sts/client_api.rb +1 -0
- data/lib/aws-sdk-sts/types.rb +2 -2
- data/lib/seahorse/client/h2/connection.rb +1 -2
- data/lib/seahorse/client/net_http/handler.rb +2 -1
- data/lib/seahorse/client/plugins/h2.rb +4 -1
- data/lib/seahorse/client/plugins/net_http.rb +4 -1
- data/lib/seahorse/client/plugins/response_target.rb +0 -1
- data/lib/seahorse/util.rb +6 -1
- metadata +12 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 282f18d47c64542b150b414e2c5bffc94b94edf011b9504c79687ac23adc13e6
|
4
|
+
data.tar.gz: c70ec81b05022177b2ceecfdd7d332c17b69028bb8a8babe42f9646e16167742
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a7576e33d28306590206c7a45092f5b41c8ce002a51c4745608c4aa0ca4dba76830d69546f3ffdaa321dae51d3456d2894d090e0cde1243ada25b4ae4648c701
|
7
|
+
data.tar.gz: 36ba0115844053b24f8465368532768fef87c28d6abacbe82eab99178661f95b4cc1d1dc52b3a7724092bd72cfa983a1d03e50b25241534a8e9ec067e2c9b43b
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.111.2
|
data/lib/aws-sdk-core.rb
CHANGED
@@ -18,6 +18,7 @@ require_relative 'aws-sdk-core/ecs_credentials'
|
|
18
18
|
require_relative 'aws-sdk-core/instance_profile_credentials'
|
19
19
|
require_relative 'aws-sdk-core/shared_credentials'
|
20
20
|
require_relative 'aws-sdk-core/process_credentials'
|
21
|
+
require_relative 'aws-sdk-core/sso_credentials'
|
21
22
|
|
22
23
|
# client modules
|
23
24
|
|
@@ -81,14 +82,17 @@ require_relative 'aws-sdk-core/endpoint_cache'
|
|
81
82
|
require_relative 'aws-sdk-core/client_side_monitoring/request_metrics'
|
82
83
|
require_relative 'aws-sdk-core/client_side_monitoring/publisher'
|
83
84
|
|
84
|
-
#
|
85
|
+
# utilities
|
85
86
|
|
86
87
|
require_relative 'aws-sdk-core/arn'
|
87
88
|
require_relative 'aws-sdk-core/arn_parser'
|
89
|
+
require_relative 'aws-sdk-core/ec2_metadata'
|
88
90
|
|
89
|
-
# aws-sdk-sts is
|
91
|
+
# aws-sdk-sts is included to support Aws::AssumeRoleCredentials
|
92
|
+
require_relative 'aws-sdk-sts'
|
90
93
|
|
91
|
-
|
94
|
+
# aws-sdk-sso is included to support Aws::SSOCredentials
|
95
|
+
require_relative 'aws-sdk-sso'
|
92
96
|
|
93
97
|
module Aws
|
94
98
|
|
data/lib/aws-sdk-core/arn.rb
CHANGED
@@ -75,5 +75,18 @@ module Aws
|
|
75
75
|
def to_s
|
76
76
|
"arn:#{partition}:#{service}:#{region}:#{account_id}:#{resource}"
|
77
77
|
end
|
78
|
+
|
79
|
+
# Return the ARN as a hash
|
80
|
+
#
|
81
|
+
# @return [Hash]
|
82
|
+
def to_h
|
83
|
+
{
|
84
|
+
partition: @partition,
|
85
|
+
service: @service,
|
86
|
+
region: @region,
|
87
|
+
account_id: @account_id,
|
88
|
+
resource: @resource
|
89
|
+
}
|
90
|
+
end
|
78
91
|
end
|
79
92
|
end
|
@@ -22,11 +22,13 @@ module Aws
|
|
22
22
|
[
|
23
23
|
[:static_credentials, {}],
|
24
24
|
[:static_profile_assume_role_web_identity_credentials, {}],
|
25
|
+
[:static_profile_sso_credentials, {}],
|
25
26
|
[:static_profile_assume_role_credentials, {}],
|
26
27
|
[:static_profile_credentials, {}],
|
27
28
|
[:static_profile_process_credentials, {}],
|
28
29
|
[:env_credentials, {}],
|
29
30
|
[:assume_role_web_identity_credentials, {}],
|
31
|
+
[:sso_credentials, {}],
|
30
32
|
[:assume_role_credentials, {}],
|
31
33
|
[:shared_credentials, {}],
|
32
34
|
[:process_credentials, {}],
|
@@ -57,6 +59,14 @@ module Aws
|
|
57
59
|
end
|
58
60
|
end
|
59
61
|
|
62
|
+
def static_profile_sso_credentials(options)
|
63
|
+
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
64
|
+
Aws.shared_config.sso_credentials_from_config(
|
65
|
+
profile: options[:config].profile
|
66
|
+
)
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
60
70
|
def static_profile_assume_role_credentials(options)
|
61
71
|
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
62
72
|
assume_role_with_profile(options, options[:config].profile)
|
@@ -115,6 +125,15 @@ module Aws
|
|
115
125
|
nil
|
116
126
|
end
|
117
127
|
|
128
|
+
def sso_credentials(options)
|
129
|
+
profile_name = determine_profile_name(options)
|
130
|
+
if Aws.shared_config.config_enabled?
|
131
|
+
Aws.shared_config.sso_credentials_from_config(profile: profile_name)
|
132
|
+
end
|
133
|
+
rescue Errors::NoSuchProfileError
|
134
|
+
nil
|
135
|
+
end
|
136
|
+
|
118
137
|
def assume_role_credentials(options)
|
119
138
|
if Aws.shared_config.config_enabled?
|
120
139
|
assume_role_with_profile(options, determine_profile_name(options))
|
@@ -0,0 +1,218 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'time'
|
4
|
+
require 'net/http'
|
5
|
+
|
6
|
+
module Aws
|
7
|
+
# A client that can query version 2 of the EC2 Instance Metadata
|
8
|
+
class EC2Metadata
|
9
|
+
# Path for PUT request for token
|
10
|
+
# @api private
|
11
|
+
METADATA_TOKEN_PATH = '/latest/api/token'.freeze
|
12
|
+
|
13
|
+
# Raised when the PUT request is not valid. This would be thrown if
|
14
|
+
# `token_ttl` is not an Integer.
|
15
|
+
# @api private
|
16
|
+
class TokenRetrievalError < RuntimeError; end
|
17
|
+
|
18
|
+
# Token has expired, and the request can be retried with a new token.
|
19
|
+
# @api private
|
20
|
+
class TokenExpiredError < RuntimeError; end
|
21
|
+
|
22
|
+
# The requested metadata path does not exist.
|
23
|
+
# @api private
|
24
|
+
class MetadataNotFoundError < RuntimeError; end
|
25
|
+
|
26
|
+
# The request is not allowed or IMDS is turned off.
|
27
|
+
# @api private
|
28
|
+
class RequestForbiddenError < RuntimeError; end
|
29
|
+
|
30
|
+
# Creates a client that can query version 2 of the EC2 Instance Metadata
|
31
|
+
# service (IMDS).
|
32
|
+
#
|
33
|
+
# @note Customers using containers may need to increase their hop limit
|
34
|
+
# to access IMDSv2.
|
35
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2
|
36
|
+
#
|
37
|
+
# @param [Hash] options
|
38
|
+
# @option options [Integer] :token_ttl (21600) The session token's TTL,
|
39
|
+
# defaulting to 6 hours.
|
40
|
+
# @option options [Integer] :retries (3) The number of retries for failed
|
41
|
+
# requests.
|
42
|
+
# @option options [String] :endpoint (169.254.169.254) The IMDS endpoint.
|
43
|
+
# @option options [Integer] :port (80) The IMDS endpoint port.
|
44
|
+
# @option options [Integer] :http_open_timeout (1) The number of seconds to
|
45
|
+
# wait for the connection to open.
|
46
|
+
# @option options [Integer] :http_read_timeout (1) The number of seconds for
|
47
|
+
# one chunk of data to be read.
|
48
|
+
# @option options [IO] :http_debug_output An output stream for debugging. Do
|
49
|
+
# not use this in production.
|
50
|
+
# @option options [Integer,Proc] :backoff A backoff used for retryable
|
51
|
+
# requests. When given an Integer, it sleeps that amount. When given a
|
52
|
+
# Proc, it is called with the current number of failed retries.
|
53
|
+
def initialize(options = {})
|
54
|
+
@token_ttl = options[:token_ttl] || 21_600
|
55
|
+
@retries = options[:retries] || 3
|
56
|
+
@backoff = backoff(options[:backoff])
|
57
|
+
|
58
|
+
@endpoint = options[:endpoint] || '169.254.169.254'
|
59
|
+
@port = options[:port] || 80
|
60
|
+
|
61
|
+
@http_open_timeout = options[:http_open_timeout] || 1
|
62
|
+
@http_read_timeout = options[:http_read_timeout] || 1
|
63
|
+
@http_debug_output = options[:http_debug_output]
|
64
|
+
|
65
|
+
@token = nil
|
66
|
+
@mutex = Mutex.new
|
67
|
+
end
|
68
|
+
|
69
|
+
# Fetches a given metadata category using a String path, and returns the
|
70
|
+
# result as a String. A path starts with the API version (usually
|
71
|
+
# "/latest/"). See the instance data categories for possible paths.
|
72
|
+
#
|
73
|
+
# @example Fetching the instance ID
|
74
|
+
#
|
75
|
+
# ec2_metadata = Aws::EC2Metadata.new
|
76
|
+
# ec2_metadata.get('/latest/meta-data/instance-id')
|
77
|
+
# => "i-023a25f10a73a0f79"
|
78
|
+
#
|
79
|
+
# @Note This implementation always returns a String and will not parse any
|
80
|
+
# responses. Parsable responses may include JSON objects or directory
|
81
|
+
# listings, which are strings separated by line feeds (ASCII 10).
|
82
|
+
#
|
83
|
+
# @example Fetching and parsing JSON meta-data
|
84
|
+
#
|
85
|
+
# require 'json'
|
86
|
+
# data = ec2_metadata.get('/latest/dynamic/instance-identity/document')
|
87
|
+
# JSON.parse(data)
|
88
|
+
# => {"accountId"=>"012345678912", ... }
|
89
|
+
#
|
90
|
+
# @example Fetching and parsing directory listings
|
91
|
+
#
|
92
|
+
# listing = ec2_metadata.get('/latest/meta-data')
|
93
|
+
# listing.split(10.chr)
|
94
|
+
# => ["ami-id", "ami-launch-index", ...]
|
95
|
+
#
|
96
|
+
# @Note Unlike other services, IMDS does not have a service API model. This
|
97
|
+
# means that we cannot confidently generate code with methods and
|
98
|
+
# response structures. This implementation ensures that new IMDS features
|
99
|
+
# are always supported by being deployed to the instance and does not
|
100
|
+
# require code changes.
|
101
|
+
#
|
102
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
|
103
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
|
104
|
+
# @param [String] path The full path to the metadata.
|
105
|
+
def get(path)
|
106
|
+
retry_errors(max_retries: @retries) do
|
107
|
+
@mutex.synchronize do
|
108
|
+
fetch_token unless @token && !@token.expired?
|
109
|
+
end
|
110
|
+
|
111
|
+
open_connection do |conn|
|
112
|
+
http_get(conn, path, @token.value)
|
113
|
+
end
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
private
|
118
|
+
|
119
|
+
def fetch_token
|
120
|
+
open_connection do |conn|
|
121
|
+
token_value, token_ttl = http_put(conn, @token_ttl)
|
122
|
+
@token = Token.new(value: token_value, ttl: token_ttl)
|
123
|
+
end
|
124
|
+
end
|
125
|
+
|
126
|
+
def http_get(connection, path, token)
|
127
|
+
headers = {
|
128
|
+
'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
|
129
|
+
'x-aws-ec2-metadata-token' => token
|
130
|
+
}
|
131
|
+
request = Net::HTTP::Get.new(path, headers)
|
132
|
+
response = connection.request(request)
|
133
|
+
|
134
|
+
case response.code.to_i
|
135
|
+
when 200
|
136
|
+
response.body
|
137
|
+
when 401
|
138
|
+
raise TokenExpiredError
|
139
|
+
when 404
|
140
|
+
raise MetadataNotFoundError
|
141
|
+
end
|
142
|
+
end
|
143
|
+
|
144
|
+
def http_put(connection, ttl)
|
145
|
+
headers = {
|
146
|
+
'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
|
147
|
+
'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
|
148
|
+
}
|
149
|
+
request = Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers)
|
150
|
+
response = connection.request(request)
|
151
|
+
|
152
|
+
case response.code.to_i
|
153
|
+
when 200
|
154
|
+
[
|
155
|
+
response.body,
|
156
|
+
response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
|
157
|
+
]
|
158
|
+
when 400
|
159
|
+
raise TokenRetrievalError
|
160
|
+
when 403
|
161
|
+
raise RequestForbiddenError
|
162
|
+
end
|
163
|
+
end
|
164
|
+
|
165
|
+
def open_connection
|
166
|
+
http = Net::HTTP.new(@endpoint, @port, nil)
|
167
|
+
http.open_timeout = @http_open_timeout
|
168
|
+
http.read_timeout = @http_read_timeout
|
169
|
+
http.set_debug_output(@http_debug_output) if @http_debug_output
|
170
|
+
http.start
|
171
|
+
yield(http).tap { http.finish }
|
172
|
+
end
|
173
|
+
|
174
|
+
def retry_errors(options = {}, &_block)
|
175
|
+
max_retries = options[:max_retries]
|
176
|
+
retries = 0
|
177
|
+
begin
|
178
|
+
yield
|
179
|
+
# These errors should not be retried.
|
180
|
+
rescue TokenRetrievalError, MetadataNotFoundError, RequestForbiddenError
|
181
|
+
raise
|
182
|
+
# StandardError is not ideal but it covers Net::HTTP errors.
|
183
|
+
# https://gist.github.com/tenderlove/245188
|
184
|
+
rescue StandardError, TokenExpiredError
|
185
|
+
raise unless retries < max_retries
|
186
|
+
|
187
|
+
@backoff.call(retries)
|
188
|
+
retries += 1
|
189
|
+
retry
|
190
|
+
end
|
191
|
+
end
|
192
|
+
|
193
|
+
def backoff(backoff)
|
194
|
+
case backoff
|
195
|
+
when Proc then backoff
|
196
|
+
when Numeric then ->(_) { Kernel.sleep(backoff) }
|
197
|
+
else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
|
198
|
+
end
|
199
|
+
end
|
200
|
+
|
201
|
+
# @api private
|
202
|
+
class Token
|
203
|
+
def initialize(options = {})
|
204
|
+
@ttl = options[:ttl]
|
205
|
+
@value = options[:value]
|
206
|
+
@created_time = Time.now
|
207
|
+
end
|
208
|
+
|
209
|
+
# [String] Returns the token value.
|
210
|
+
attr_reader :value
|
211
|
+
|
212
|
+
# [Boolean] Returns true if the token expired.
|
213
|
+
def expired?
|
214
|
+
Time.now - @created_time > @ttl
|
215
|
+
end
|
216
|
+
end
|
217
|
+
end
|
218
|
+
end
|
data/lib/aws-sdk-core/errors.rb
CHANGED
@@ -16,10 +16,10 @@ module Aws
|
|
16
16
|
# @param [Aws::Structure] data
|
17
17
|
def initialize(context, message, data = Aws::EmptyStructure.new)
|
18
18
|
@code = self.class.code
|
19
|
-
@message = message if message && !message.empty?
|
20
19
|
@context = context
|
21
20
|
@data = data
|
22
|
-
|
21
|
+
@message = message && !message.empty? ? message : self.class
|
22
|
+
super(@message)
|
23
23
|
end
|
24
24
|
|
25
25
|
# @return [String]
|
@@ -207,6 +207,9 @@ module Aws
|
|
207
207
|
# payload with either invalid version number or malformed contents
|
208
208
|
class InvalidProcessCredentialsPayload < RuntimeError; end
|
209
209
|
|
210
|
+
# Raised when SSO Credentials are invalid
|
211
|
+
class InvalidSSOCredentials < RuntimeError; end
|
212
|
+
|
210
213
|
# Raised when a client is constructed and region is not specified.
|
211
214
|
class MissingRegionError < ArgumentError
|
212
215
|
def initialize(*args)
|
@@ -49,8 +49,8 @@ module Aws
|
|
49
49
|
module PageableResponse
|
50
50
|
|
51
51
|
def self.extended(base)
|
52
|
-
base.
|
53
|
-
base.
|
52
|
+
base.extend Enumerable
|
53
|
+
base.extend UnsafeEnumerableMethods
|
54
54
|
base.instance_variable_set("@last_page", nil)
|
55
55
|
base.instance_variable_set("@more_results", nil)
|
56
56
|
end
|
@@ -30,13 +30,28 @@ following classes:
|
|
30
30
|
* `Aws::Credentials` - Used for configuring static, non-refreshing
|
31
31
|
credentials.
|
32
32
|
|
33
|
+
* `Aws::SharedCredentials` - Used for loading static credentials from a
|
34
|
+
shared file, such as `~/.aws/config`.
|
35
|
+
|
36
|
+
* `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
|
37
|
+
|
38
|
+
* `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
|
39
|
+
assume a role after providing credentials via the web.
|
40
|
+
|
41
|
+
* `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
|
42
|
+
access token generated from `aws login`.
|
43
|
+
|
44
|
+
* `Aws::ProcessCredentials` - Used for loading credentials from a
|
45
|
+
process that outputs to stdout.
|
46
|
+
|
33
47
|
* `Aws::InstanceProfileCredentials` - Used for loading credentials
|
34
48
|
from an EC2 IMDS on an EC2 instance.
|
35
49
|
|
36
|
-
* `Aws::
|
37
|
-
|
50
|
+
* `Aws::ECSCredentials` - Used for loading credentials from
|
51
|
+
instances running in ECS.
|
38
52
|
|
39
|
-
* `Aws::
|
53
|
+
* `Aws::CognitoIdentityCredentials` - Used for loading credentials
|
54
|
+
from the Cognito Identity service.
|
40
55
|
|
41
56
|
When `:credentials` are not configured directly, the following
|
42
57
|
locations will be searched for credentials:
|
@@ -46,10 +61,10 @@ locations will be searched for credentials:
|
|
46
61
|
* ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
|
47
62
|
* `~/.aws/credentials`
|
48
63
|
* `~/.aws/config`
|
49
|
-
* EC2 IMDS instance profile - When used by default, the timeouts
|
50
|
-
very aggressive. Construct and pass an instance of
|
51
|
-
`Aws::InstanceProfileCredentails`
|
52
|
-
timeouts.
|
64
|
+
* EC2/ECS IMDS instance profile - When used by default, the timeouts
|
65
|
+
are very aggressive. Construct and pass an instance of
|
66
|
+
`Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
67
|
+
enable retries and extended timeouts.
|
53
68
|
DOCS
|
54
69
|
) do |config|
|
55
70
|
CredentialProviderChain.new(config).resolve
|
@@ -15,17 +15,18 @@ to default service endpoint when available.
|
|
15
15
|
)
|
16
16
|
|
17
17
|
def add_handlers(handlers, config)
|
18
|
-
|
19
|
-
handlers.add(Handler, priority: 90)
|
20
|
-
end
|
18
|
+
handlers.add(Handler, priority: 10)
|
21
19
|
end
|
22
20
|
|
23
21
|
class Handler < Seahorse::Client::Handler
|
24
22
|
|
25
23
|
def call(context)
|
26
|
-
|
27
|
-
|
28
|
-
|
24
|
+
if context.config.regional_endpoint &&
|
25
|
+
!context.config.disable_host_prefix_injection
|
26
|
+
endpoint_trait = context.operation.endpoint_pattern
|
27
|
+
if endpoint_trait && !endpoint_trait.empty?
|
28
|
+
_apply_endpoint_trait(context, endpoint_trait)
|
29
|
+
end
|
29
30
|
end
|
30
31
|
@handler.call(context)
|
31
32
|
end
|