aws-sdk-core 3.104.4 → 3.111.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 680ba60978f23c0aa45dd61bded4e7f2cc89b45e4edb3604f4ccfe906b5b2e94
-  data.tar.gz: d0332b0ee610e3941c61350863bf49849a24a9ba7ce40e539fca8bf89ad9506b
+  metadata.gz: 282f18d47c64542b150b414e2c5bffc94b94edf011b9504c79687ac23adc13e6
+  data.tar.gz: c70ec81b05022177b2ceecfdd7d332c17b69028bb8a8babe42f9646e16167742
 SHA512:
-  metadata.gz: 792e9f570ce9179c26e49265fb2ddc3fbbffa545516dbf69503f5402c6ab036157645c459324ab72be0b217d0f2ae92e97c9cb7e5534f4328d89565a437b0521
-  data.tar.gz: 6480bf69a614e7c8f8e2b3bad0065cf9b50772c24b5e4afdf95b7c1895d1f013d05f4232de50d988bb0ff536f8bb86dd45ad1d9b4a8aa37ca2ced320932db13e
+  metadata.gz: a7576e33d28306590206c7a45092f5b41c8ce002a51c4745608c4aa0ca4dba76830d69546f3ffdaa321dae51d3456d2894d090e0cde1243ada25b4ae4648c701
+  data.tar.gz: 36ba0115844053b24f8465368532768fef87c28d6abacbe82eab99178661f95b4cc1d1dc52b3a7724092bd72cfa983a1d03e50b25241534a8e9ec067e2c9b43b

data/VERSION

@@ -1 +1 @@
-3.104.4
+3.111.2

data/lib/aws-sdk-core.rb

@@ -18,6 +18,7 @@ require_relative 'aws-sdk-core/ecs_credentials'
 require_relative 'aws-sdk-core/instance_profile_credentials'
 require_relative 'aws-sdk-core/shared_credentials'
 require_relative 'aws-sdk-core/process_credentials'
+require_relative 'aws-sdk-core/sso_credentials'
 
 # client modules
 
@@ -81,14 +82,17 @@ require_relative 'aws-sdk-core/endpoint_cache'
 require_relative 'aws-sdk-core/client_side_monitoring/request_metrics'
 require_relative 'aws-sdk-core/client_side_monitoring/publisher'
 
-# arn
+# utilities
 
 require_relative 'aws-sdk-core/arn'
 require_relative 'aws-sdk-core/arn_parser'
+require_relative 'aws-sdk-core/ec2_metadata'
 
-# aws-sdk-sts is vendored to support Aws::AssumeRoleCredentials
+# aws-sdk-sts is included to support Aws::AssumeRoleCredentials
+require_relative 'aws-sdk-sts'
 
-require 'aws-sdk-sts'
+# aws-sdk-sso is included to support Aws::SSOCredentials
+require_relative 'aws-sdk-sso'
 
 module Aws
 

data/lib/aws-sdk-core/arn.rb

@@ -75,5 +75,18 @@ module Aws
     def to_s
       "arn:#{partition}:#{service}:#{region}:#{account_id}:#{resource}"
     end
+
+    # Return the ARN as a hash
+    #
+    # @return [Hash]
+    def to_h
+      {
+        partition: @partition,
+        service: @service,
+        region: @region,
+        account_id: @account_id,
+        resource: @resource
+      }
+    end
   end
 end

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -22,11 +22,13 @@ module Aws
       [
         [:static_credentials, {}],
         [:static_profile_assume_role_web_identity_credentials, {}],
+        [:static_profile_sso_credentials, {}],
         [:static_profile_assume_role_credentials, {}],
         [:static_profile_credentials, {}],
         [:static_profile_process_credentials, {}],
         [:env_credentials, {}],
         [:assume_role_web_identity_credentials, {}],
+        [:sso_credentials, {}],
         [:assume_role_credentials, {}],
         [:shared_credentials, {}],
         [:process_credentials, {}],
@@ -57,6 +59,14 @@ module Aws
       end
     end
 
+    def static_profile_sso_credentials(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        Aws.shared_config.sso_credentials_from_config(
+          profile: options[:config].profile
+        )
+      end
+    end
+
     def static_profile_assume_role_credentials(options)
       if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
         assume_role_with_profile(options, options[:config].profile)
@@ -115,6 +125,15 @@ module Aws
       nil
     end
 
+    def sso_credentials(options)
+      profile_name = determine_profile_name(options)
+      if Aws.shared_config.config_enabled?
+        Aws.shared_config.sso_credentials_from_config(profile: profile_name)
+      end
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
     def assume_role_credentials(options)
       if Aws.shared_config.config_enabled?
         assume_role_with_profile(options, determine_profile_name(options))

data/lib/aws-sdk-core/ec2_metadata.rb

@@ -0,0 +1,218 @@
+# frozen_string_literal: true
+
+require 'time'
+require 'net/http'
+
+module Aws
+  # A client that can query version 2 of the EC2 Instance Metadata
+  class EC2Metadata
+    # Path for PUT request for token
+    # @api private
+    METADATA_TOKEN_PATH = '/latest/api/token'.freeze
+
+    # Raised when the PUT request is not valid. This would be thrown if
+    # `token_ttl` is not an Integer.
+    # @api private
+    class TokenRetrievalError < RuntimeError; end
+
+    # Token has expired, and the request can be retried with a new token.
+    # @api private
+    class TokenExpiredError < RuntimeError; end
+
+    # The requested metadata path does not exist.
+    # @api private
+    class MetadataNotFoundError < RuntimeError; end
+
+    # The request is not allowed or IMDS is turned off.
+    # @api private
+    class RequestForbiddenError < RuntimeError; end
+
+    # Creates a client that can query version 2 of the EC2 Instance Metadata
+    #   service (IMDS).
+    #
+    # @note Customers using containers may need to increase their hop limit
+    #   to access IMDSv2.
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2
+    #
+    # @param [Hash] options
+    # @option options [Integer] :token_ttl (21600) The session token's TTL,
+    #   defaulting to 6 hours.
+    # @option options [Integer] :retries (3) The number of retries for failed
+    #   requests.
+    # @option options [String] :endpoint (169.254.169.254) The IMDS endpoint.
+    # @option options [Integer] :port (80) The IMDS endpoint port.
+    # @option options [Integer] :http_open_timeout (1) The number of seconds to
+    #   wait for the connection to open.
+    # @option options [Integer] :http_read_timeout (1) The number of seconds for
+    #   one chunk of data to be read.
+    # @option options [IO] :http_debug_output An output stream for debugging. Do
+    #   not use this in production.
+    # @option options [Integer,Proc] :backoff A backoff used for retryable
+    #   requests. When given an Integer, it sleeps that amount. When given a
+    #   Proc, it is called with the current number of failed retries.
+    def initialize(options = {})
+      @token_ttl = options[:token_ttl] || 21_600
+      @retries = options[:retries] || 3
+      @backoff = backoff(options[:backoff])
+
+      @endpoint = options[:endpoint] || '169.254.169.254'
+      @port = options[:port] || 80
+
+      @http_open_timeout = options[:http_open_timeout] || 1
+      @http_read_timeout = options[:http_read_timeout] || 1
+      @http_debug_output = options[:http_debug_output]
+
+      @token = nil
+      @mutex = Mutex.new
+    end
+
+    # Fetches a given metadata category using a String path, and returns the
+    #   result as a String. A path starts with the API version (usually
+    #   "/latest/"). See the instance data categories for possible paths.
+    #
+    # @example Fetching the instance ID
+    #
+    #   ec2_metadata = Aws::EC2Metadata.new
+    #   ec2_metadata.get('/latest/meta-data/instance-id')
+    #   => "i-023a25f10a73a0f79"
+    #
+    # @Note This implementation always returns a String and will not parse any
+    #   responses. Parsable responses may include JSON objects or directory
+    #   listings, which are strings separated by line feeds (ASCII 10).
+    #
+    # @example Fetching and parsing JSON meta-data
+    #
+    #   require 'json'
+    #   data = ec2_metadata.get('/latest/dynamic/instance-identity/document')
+    #   JSON.parse(data)
+    #   => {"accountId"=>"012345678912", ... }
+    #
+    # @example Fetching and parsing directory listings
+    #
+    #   listing = ec2_metadata.get('/latest/meta-data')
+    #   listing.split(10.chr)
+    #   => ["ami-id", "ami-launch-index", ...]
+    #
+    # @Note Unlike other services, IMDS does not have a service API model. This
+    #   means that we cannot confidently generate code with methods and
+    #   response structures. This implementation ensures that new IMDS features
+    #   are always supported by being deployed to the instance and does not
+    #   require code changes.
+    #
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
+    # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
+    # @param [String] path The full path to the metadata.
+    def get(path)
+      retry_errors(max_retries: @retries) do
+        @mutex.synchronize do
+          fetch_token unless @token && !@token.expired?
+        end
+
+        open_connection do |conn|
+          http_get(conn, path, @token.value)
+        end
+      end
+    end
+
+    private
+
+    def fetch_token
+      open_connection do |conn|
+        token_value, token_ttl = http_put(conn, @token_ttl)
+        @token = Token.new(value: token_value, ttl: token_ttl)
+      end
+    end
+
+    def http_get(connection, path, token)
+      headers = {
+        'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
+        'x-aws-ec2-metadata-token' => token
+      }
+      request = Net::HTTP::Get.new(path, headers)
+      response = connection.request(request)
+
+      case response.code.to_i
+      when 200
+        response.body
+      when 401
+        raise TokenExpiredError
+      when 404
+        raise MetadataNotFoundError
+      end
+    end
+
+    def http_put(connection, ttl)
+      headers = {
+        'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
+        'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
+      }
+      request = Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers)
+      response = connection.request(request)
+
+      case response.code.to_i
+      when 200
+        [
+          response.body,
+          response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
+        ]
+      when 400
+        raise TokenRetrievalError
+      when 403
+        raise RequestForbiddenError
+      end
+    end
+
+    def open_connection
+      http = Net::HTTP.new(@endpoint, @port, nil)
+      http.open_timeout = @http_open_timeout
+      http.read_timeout = @http_read_timeout
+      http.set_debug_output(@http_debug_output) if @http_debug_output
+      http.start
+      yield(http).tap { http.finish }
+    end
+
+    def retry_errors(options = {}, &_block)
+      max_retries = options[:max_retries]
+      retries = 0
+      begin
+        yield
+      # These errors should not be retried.
+      rescue TokenRetrievalError, MetadataNotFoundError, RequestForbiddenError
+        raise
+      # StandardError is not ideal but it covers Net::HTTP errors.
+      # https://gist.github.com/tenderlove/245188
+      rescue StandardError, TokenExpiredError
+        raise unless retries < max_retries
+
+        @backoff.call(retries)
+        retries += 1
+        retry
+      end
+    end
+
+    def backoff(backoff)
+      case backoff
+      when Proc then backoff
+      when Numeric then ->(_) { Kernel.sleep(backoff) }
+      else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
+      end
+    end
+
+    # @api private
+    class Token
+      def initialize(options = {})
+        @ttl   = options[:ttl]
+        @value = options[:value]
+        @created_time = Time.now
+      end
+
+      # [String] Returns the token value.
+      attr_reader :value
+
+      # [Boolean] Returns true if the token expired.
+      def expired?
+        Time.now - @created_time > @ttl
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/errors.rb

@@ -16,10 +16,10 @@ module Aws
       # @param [Aws::Structure] data
       def initialize(context, message, data = Aws::EmptyStructure.new)
         @code = self.class.code
-        @message = message if message && !message.empty?
         @context = context
         @data = data
-        super(message)
+        @message = message && !message.empty? ? message : self.class
+        super(@message)
       end
 
       # @return [String]
@@ -207,6 +207,9 @@ module Aws
     # payload with either invalid version number or malformed contents
     class InvalidProcessCredentialsPayload < RuntimeError; end
 
+    # Raised when SSO Credentials are invalid
+    class InvalidSSOCredentials < RuntimeError; end
+
     # Raised when a client is constructed and region is not specified.
     class MissingRegionError < ArgumentError
       def initialize(*args)

data/lib/aws-sdk-core/json/json_engine.rb

@@ -2,14 +2,14 @@
 
 module Aws
   module Json
-    class OjEngine
+    class JSONEngine
 
       def self.load(json)
-        Oj.load(json)
+        JSON.load(json)
       end
 
       def self.dump(value)
-        Oj.dump(value)
+        JSON.dump(value)
       end
 
     end

data/lib/aws-sdk-core/json/oj_engine.rb

@@ -2,14 +2,14 @@
 
 module Aws
   module Json
-    class JSONEngine
+    class OjEngine
 
       def self.load(json)
-        JSON.load(json)
+        Oj.load(json)
       end
 
       def self.dump(value)
-        JSON.dump(value)
+        Oj.dump(value)
       end
 
     end

data/lib/aws-sdk-core/pageable_response.rb

@@ -49,8 +49,8 @@ module Aws
   module PageableResponse
 
     def self.extended(base)
-      base.send(:extend, Enumerable)
-      base.send(:extend, UnsafeEnumerableMethods)
+      base.extend Enumerable
+      base.extend UnsafeEnumerableMethods
       base.instance_variable_set("@last_page", nil)
       base.instance_variable_set("@more_results", nil)
     end

data/lib/aws-sdk-core/plugins/credentials_configuration.rb

@@ -30,13 +30,28 @@ following classes:
 * `Aws::Credentials` - Used for configuring static, non-refreshing
   credentials.
 
+* `Aws::SharedCredentials` - Used for loading static credentials from a
+  shared file, such as `~/.aws/config`.
+
+* `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+
+* `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
+  assume a role after providing credentials via the web.
+
+* `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
+  access token generated from `aws login`.
+
+* `Aws::ProcessCredentials` - Used for loading credentials from a
+  process that outputs to stdout.
+
 * `Aws::InstanceProfileCredentials` - Used for loading credentials
   from an EC2 IMDS on an EC2 instance.
 
-* `Aws::SharedCredentials` - Used for loading credentials from a
-  shared file, such as `~/.aws/config`.
+* `Aws::ECSCredentials` - Used for loading credentials from
+  instances running in ECS.
 
-* `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+* `Aws::CognitoIdentityCredentials` - Used for loading credentials
+  from the Cognito Identity service.
 
 When `:credentials` are not configured directly, the following
 locations will be searched for credentials:
@@ -46,10 +61,10 @@ locations will be searched for credentials:
 * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
 * `~/.aws/credentials`
 * `~/.aws/config`
-* EC2 IMDS instance profile - When used by default, the timeouts are
-  very aggressive. Construct and pass an instance of
-  `Aws::InstanceProfileCredentails` to enable retries and extended
-  timeouts.
+* EC2/ECS IMDS instance profile - When used by default, the timeouts
+  are very aggressive. Construct and pass an instance of
+  `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
+  enable retries and extended timeouts.
         DOCS
       ) do |config|
         CredentialProviderChain.new(config).resolve

data/lib/aws-sdk-core/plugins/endpoint_pattern.rb

@@ -15,17 +15,18 @@ to default service endpoint when available.
       )
 
       def add_handlers(handlers, config)
-        if config.regional_endpoint && !config.disable_host_prefix_injection
-          handlers.add(Handler, priority: 90)
-        end
+        handlers.add(Handler, priority: 10)
       end
 
       class Handler < Seahorse::Client::Handler
 
         def call(context)
-          endpoint_trait = context.operation.endpoint_pattern
-          if endpoint_trait && !endpoint_trait.empty?
-            _apply_endpoint_trait(context, endpoint_trait)
+          if context.config.regional_endpoint &&
+             !context.config.disable_host_prefix_injection
+            endpoint_trait = context.operation.endpoint_pattern
+            if endpoint_trait && !endpoint_trait.empty?
+              _apply_endpoint_trait(context, endpoint_trait)
+            end
           end
           @handler.call(context)
         end