aws-sdk-core 3.104.4 → 3.111.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core.rb +7 -3
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +19 -0
- data/lib/aws-sdk-core/ec2_metadata.rb +218 -0
- data/lib/aws-sdk-core/errors.rb +5 -2
- data/lib/aws-sdk-core/json/json_engine.rb +3 -3
- data/lib/aws-sdk-core/json/oj_engine.rb +3 -3
- data/lib/aws-sdk-core/pageable_response.rb +2 -2
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +22 -7
- data/lib/aws-sdk-core/plugins/endpoint_pattern.rb +7 -6
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +1 -1
- data/lib/aws-sdk-core/plugins/retry_errors.rb +4 -3
- data/lib/aws-sdk-core/shared_config.rb +33 -0
- data/lib/aws-sdk-core/sso_credentials.rb +132 -0
- data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +0 -2
- data/lib/aws-sdk-core/xml/builder.rb +1 -1
- data/lib/aws-sdk-core/xml/parser.rb +5 -0
- data/lib/aws-sdk-core/xml/parser/engines/rexml.rb +8 -0
- data/lib/aws-sdk-sso.rb +55 -0
- data/lib/aws-sdk-sso/client.rb +548 -0
- data/lib/aws-sdk-sso/client_api.rb +190 -0
- data/lib/aws-sdk-sso/customizations.rb +1 -0
- data/lib/aws-sdk-sso/errors.rb +102 -0
- data/lib/aws-sdk-sso/plugins/content_type.rb +25 -0
- data/lib/aws-sdk-sso/resource.rb +26 -0
- data/lib/aws-sdk-sso/types.rb +352 -0
- data/lib/aws-sdk-sts.rb +7 -2
- data/lib/aws-sdk-sts/client.rb +24 -9
- data/lib/aws-sdk-sts/client_api.rb +1 -0
- data/lib/aws-sdk-sts/types.rb +2 -2
- data/lib/seahorse/client/h2/connection.rb +1 -2
- data/lib/seahorse/client/net_http/handler.rb +2 -1
- data/lib/seahorse/client/plugins/h2.rb +4 -1
- data/lib/seahorse/client/plugins/net_http.rb +4 -1
- data/lib/seahorse/client/plugins/response_target.rb +0 -1
- data/lib/seahorse/util.rb +6 -1
- metadata +12 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 282f18d47c64542b150b414e2c5bffc94b94edf011b9504c79687ac23adc13e6
|
4
|
+
data.tar.gz: c70ec81b05022177b2ceecfdd7d332c17b69028bb8a8babe42f9646e16167742
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a7576e33d28306590206c7a45092f5b41c8ce002a51c4745608c4aa0ca4dba76830d69546f3ffdaa321dae51d3456d2894d090e0cde1243ada25b4ae4648c701
|
7
|
+
data.tar.gz: 36ba0115844053b24f8465368532768fef87c28d6abacbe82eab99178661f95b4cc1d1dc52b3a7724092bd72cfa983a1d03e50b25241534a8e9ec067e2c9b43b
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.111.2
|
data/lib/aws-sdk-core.rb
CHANGED
@@ -18,6 +18,7 @@ require_relative 'aws-sdk-core/ecs_credentials'
|
|
18
18
|
require_relative 'aws-sdk-core/instance_profile_credentials'
|
19
19
|
require_relative 'aws-sdk-core/shared_credentials'
|
20
20
|
require_relative 'aws-sdk-core/process_credentials'
|
21
|
+
require_relative 'aws-sdk-core/sso_credentials'
|
21
22
|
|
22
23
|
# client modules
|
23
24
|
|
@@ -81,14 +82,17 @@ require_relative 'aws-sdk-core/endpoint_cache'
|
|
81
82
|
require_relative 'aws-sdk-core/client_side_monitoring/request_metrics'
|
82
83
|
require_relative 'aws-sdk-core/client_side_monitoring/publisher'
|
83
84
|
|
84
|
-
#
|
85
|
+
# utilities
|
85
86
|
|
86
87
|
require_relative 'aws-sdk-core/arn'
|
87
88
|
require_relative 'aws-sdk-core/arn_parser'
|
89
|
+
require_relative 'aws-sdk-core/ec2_metadata'
|
88
90
|
|
89
|
-
# aws-sdk-sts is
|
91
|
+
# aws-sdk-sts is included to support Aws::AssumeRoleCredentials
|
92
|
+
require_relative 'aws-sdk-sts'
|
90
93
|
|
91
|
-
|
94
|
+
# aws-sdk-sso is included to support Aws::SSOCredentials
|
95
|
+
require_relative 'aws-sdk-sso'
|
92
96
|
|
93
97
|
module Aws
|
94
98
|
|
data/lib/aws-sdk-core/arn.rb
CHANGED
@@ -75,5 +75,18 @@ module Aws
|
|
75
75
|
def to_s
|
76
76
|
"arn:#{partition}:#{service}:#{region}:#{account_id}:#{resource}"
|
77
77
|
end
|
78
|
+
|
79
|
+
# Return the ARN as a hash
|
80
|
+
#
|
81
|
+
# @return [Hash]
|
82
|
+
def to_h
|
83
|
+
{
|
84
|
+
partition: @partition,
|
85
|
+
service: @service,
|
86
|
+
region: @region,
|
87
|
+
account_id: @account_id,
|
88
|
+
resource: @resource
|
89
|
+
}
|
90
|
+
end
|
78
91
|
end
|
79
92
|
end
|
@@ -22,11 +22,13 @@ module Aws
|
|
22
22
|
[
|
23
23
|
[:static_credentials, {}],
|
24
24
|
[:static_profile_assume_role_web_identity_credentials, {}],
|
25
|
+
[:static_profile_sso_credentials, {}],
|
25
26
|
[:static_profile_assume_role_credentials, {}],
|
26
27
|
[:static_profile_credentials, {}],
|
27
28
|
[:static_profile_process_credentials, {}],
|
28
29
|
[:env_credentials, {}],
|
29
30
|
[:assume_role_web_identity_credentials, {}],
|
31
|
+
[:sso_credentials, {}],
|
30
32
|
[:assume_role_credentials, {}],
|
31
33
|
[:shared_credentials, {}],
|
32
34
|
[:process_credentials, {}],
|
@@ -57,6 +59,14 @@ module Aws
|
|
57
59
|
end
|
58
60
|
end
|
59
61
|
|
62
|
+
def static_profile_sso_credentials(options)
|
63
|
+
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
64
|
+
Aws.shared_config.sso_credentials_from_config(
|
65
|
+
profile: options[:config].profile
|
66
|
+
)
|
67
|
+
end
|
68
|
+
end
|
69
|
+
|
60
70
|
def static_profile_assume_role_credentials(options)
|
61
71
|
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
62
72
|
assume_role_with_profile(options, options[:config].profile)
|
@@ -115,6 +125,15 @@ module Aws
|
|
115
125
|
nil
|
116
126
|
end
|
117
127
|
|
128
|
+
def sso_credentials(options)
|
129
|
+
profile_name = determine_profile_name(options)
|
130
|
+
if Aws.shared_config.config_enabled?
|
131
|
+
Aws.shared_config.sso_credentials_from_config(profile: profile_name)
|
132
|
+
end
|
133
|
+
rescue Errors::NoSuchProfileError
|
134
|
+
nil
|
135
|
+
end
|
136
|
+
|
118
137
|
def assume_role_credentials(options)
|
119
138
|
if Aws.shared_config.config_enabled?
|
120
139
|
assume_role_with_profile(options, determine_profile_name(options))
|
@@ -0,0 +1,218 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'time'
|
4
|
+
require 'net/http'
|
5
|
+
|
6
|
+
module Aws
|
7
|
+
# A client that can query version 2 of the EC2 Instance Metadata
|
8
|
+
class EC2Metadata
|
9
|
+
# Path for PUT request for token
|
10
|
+
# @api private
|
11
|
+
METADATA_TOKEN_PATH = '/latest/api/token'.freeze
|
12
|
+
|
13
|
+
# Raised when the PUT request is not valid. This would be thrown if
|
14
|
+
# `token_ttl` is not an Integer.
|
15
|
+
# @api private
|
16
|
+
class TokenRetrievalError < RuntimeError; end
|
17
|
+
|
18
|
+
# Token has expired, and the request can be retried with a new token.
|
19
|
+
# @api private
|
20
|
+
class TokenExpiredError < RuntimeError; end
|
21
|
+
|
22
|
+
# The requested metadata path does not exist.
|
23
|
+
# @api private
|
24
|
+
class MetadataNotFoundError < RuntimeError; end
|
25
|
+
|
26
|
+
# The request is not allowed or IMDS is turned off.
|
27
|
+
# @api private
|
28
|
+
class RequestForbiddenError < RuntimeError; end
|
29
|
+
|
30
|
+
# Creates a client that can query version 2 of the EC2 Instance Metadata
|
31
|
+
# service (IMDS).
|
32
|
+
#
|
33
|
+
# @note Customers using containers may need to increase their hop limit
|
34
|
+
# to access IMDSv2.
|
35
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2
|
36
|
+
#
|
37
|
+
# @param [Hash] options
|
38
|
+
# @option options [Integer] :token_ttl (21600) The session token's TTL,
|
39
|
+
# defaulting to 6 hours.
|
40
|
+
# @option options [Integer] :retries (3) The number of retries for failed
|
41
|
+
# requests.
|
42
|
+
# @option options [String] :endpoint (169.254.169.254) The IMDS endpoint.
|
43
|
+
# @option options [Integer] :port (80) The IMDS endpoint port.
|
44
|
+
# @option options [Integer] :http_open_timeout (1) The number of seconds to
|
45
|
+
# wait for the connection to open.
|
46
|
+
# @option options [Integer] :http_read_timeout (1) The number of seconds for
|
47
|
+
# one chunk of data to be read.
|
48
|
+
# @option options [IO] :http_debug_output An output stream for debugging. Do
|
49
|
+
# not use this in production.
|
50
|
+
# @option options [Integer,Proc] :backoff A backoff used for retryable
|
51
|
+
# requests. When given an Integer, it sleeps that amount. When given a
|
52
|
+
# Proc, it is called with the current number of failed retries.
|
53
|
+
def initialize(options = {})
|
54
|
+
@token_ttl = options[:token_ttl] || 21_600
|
55
|
+
@retries = options[:retries] || 3
|
56
|
+
@backoff = backoff(options[:backoff])
|
57
|
+
|
58
|
+
@endpoint = options[:endpoint] || '169.254.169.254'
|
59
|
+
@port = options[:port] || 80
|
60
|
+
|
61
|
+
@http_open_timeout = options[:http_open_timeout] || 1
|
62
|
+
@http_read_timeout = options[:http_read_timeout] || 1
|
63
|
+
@http_debug_output = options[:http_debug_output]
|
64
|
+
|
65
|
+
@token = nil
|
66
|
+
@mutex = Mutex.new
|
67
|
+
end
|
68
|
+
|
69
|
+
# Fetches a given metadata category using a String path, and returns the
|
70
|
+
# result as a String. A path starts with the API version (usually
|
71
|
+
# "/latest/"). See the instance data categories for possible paths.
|
72
|
+
#
|
73
|
+
# @example Fetching the instance ID
|
74
|
+
#
|
75
|
+
# ec2_metadata = Aws::EC2Metadata.new
|
76
|
+
# ec2_metadata.get('/latest/meta-data/instance-id')
|
77
|
+
# => "i-023a25f10a73a0f79"
|
78
|
+
#
|
79
|
+
# @Note This implementation always returns a String and will not parse any
|
80
|
+
# responses. Parsable responses may include JSON objects or directory
|
81
|
+
# listings, which are strings separated by line feeds (ASCII 10).
|
82
|
+
#
|
83
|
+
# @example Fetching and parsing JSON meta-data
|
84
|
+
#
|
85
|
+
# require 'json'
|
86
|
+
# data = ec2_metadata.get('/latest/dynamic/instance-identity/document')
|
87
|
+
# JSON.parse(data)
|
88
|
+
# => {"accountId"=>"012345678912", ... }
|
89
|
+
#
|
90
|
+
# @example Fetching and parsing directory listings
|
91
|
+
#
|
92
|
+
# listing = ec2_metadata.get('/latest/meta-data')
|
93
|
+
# listing.split(10.chr)
|
94
|
+
# => ["ami-id", "ami-launch-index", ...]
|
95
|
+
#
|
96
|
+
# @Note Unlike other services, IMDS does not have a service API model. This
|
97
|
+
# means that we cannot confidently generate code with methods and
|
98
|
+
# response structures. This implementation ensures that new IMDS features
|
99
|
+
# are always supported by being deployed to the instance and does not
|
100
|
+
# require code changes.
|
101
|
+
#
|
102
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
|
103
|
+
# @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
|
104
|
+
# @param [String] path The full path to the metadata.
|
105
|
+
def get(path)
|
106
|
+
retry_errors(max_retries: @retries) do
|
107
|
+
@mutex.synchronize do
|
108
|
+
fetch_token unless @token && !@token.expired?
|
109
|
+
end
|
110
|
+
|
111
|
+
open_connection do |conn|
|
112
|
+
http_get(conn, path, @token.value)
|
113
|
+
end
|
114
|
+
end
|
115
|
+
end
|
116
|
+
|
117
|
+
private
|
118
|
+
|
119
|
+
def fetch_token
|
120
|
+
open_connection do |conn|
|
121
|
+
token_value, token_ttl = http_put(conn, @token_ttl)
|
122
|
+
@token = Token.new(value: token_value, ttl: token_ttl)
|
123
|
+
end
|
124
|
+
end
|
125
|
+
|
126
|
+
def http_get(connection, path, token)
|
127
|
+
headers = {
|
128
|
+
'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
|
129
|
+
'x-aws-ec2-metadata-token' => token
|
130
|
+
}
|
131
|
+
request = Net::HTTP::Get.new(path, headers)
|
132
|
+
response = connection.request(request)
|
133
|
+
|
134
|
+
case response.code.to_i
|
135
|
+
when 200
|
136
|
+
response.body
|
137
|
+
when 401
|
138
|
+
raise TokenExpiredError
|
139
|
+
when 404
|
140
|
+
raise MetadataNotFoundError
|
141
|
+
end
|
142
|
+
end
|
143
|
+
|
144
|
+
def http_put(connection, ttl)
|
145
|
+
headers = {
|
146
|
+
'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
|
147
|
+
'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
|
148
|
+
}
|
149
|
+
request = Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers)
|
150
|
+
response = connection.request(request)
|
151
|
+
|
152
|
+
case response.code.to_i
|
153
|
+
when 200
|
154
|
+
[
|
155
|
+
response.body,
|
156
|
+
response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
|
157
|
+
]
|
158
|
+
when 400
|
159
|
+
raise TokenRetrievalError
|
160
|
+
when 403
|
161
|
+
raise RequestForbiddenError
|
162
|
+
end
|
163
|
+
end
|
164
|
+
|
165
|
+
def open_connection
|
166
|
+
http = Net::HTTP.new(@endpoint, @port, nil)
|
167
|
+
http.open_timeout = @http_open_timeout
|
168
|
+
http.read_timeout = @http_read_timeout
|
169
|
+
http.set_debug_output(@http_debug_output) if @http_debug_output
|
170
|
+
http.start
|
171
|
+
yield(http).tap { http.finish }
|
172
|
+
end
|
173
|
+
|
174
|
+
def retry_errors(options = {}, &_block)
|
175
|
+
max_retries = options[:max_retries]
|
176
|
+
retries = 0
|
177
|
+
begin
|
178
|
+
yield
|
179
|
+
# These errors should not be retried.
|
180
|
+
rescue TokenRetrievalError, MetadataNotFoundError, RequestForbiddenError
|
181
|
+
raise
|
182
|
+
# StandardError is not ideal but it covers Net::HTTP errors.
|
183
|
+
# https://gist.github.com/tenderlove/245188
|
184
|
+
rescue StandardError, TokenExpiredError
|
185
|
+
raise unless retries < max_retries
|
186
|
+
|
187
|
+
@backoff.call(retries)
|
188
|
+
retries += 1
|
189
|
+
retry
|
190
|
+
end
|
191
|
+
end
|
192
|
+
|
193
|
+
def backoff(backoff)
|
194
|
+
case backoff
|
195
|
+
when Proc then backoff
|
196
|
+
when Numeric then ->(_) { Kernel.sleep(backoff) }
|
197
|
+
else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
|
198
|
+
end
|
199
|
+
end
|
200
|
+
|
201
|
+
# @api private
|
202
|
+
class Token
|
203
|
+
def initialize(options = {})
|
204
|
+
@ttl = options[:ttl]
|
205
|
+
@value = options[:value]
|
206
|
+
@created_time = Time.now
|
207
|
+
end
|
208
|
+
|
209
|
+
# [String] Returns the token value.
|
210
|
+
attr_reader :value
|
211
|
+
|
212
|
+
# [Boolean] Returns true if the token expired.
|
213
|
+
def expired?
|
214
|
+
Time.now - @created_time > @ttl
|
215
|
+
end
|
216
|
+
end
|
217
|
+
end
|
218
|
+
end
|
data/lib/aws-sdk-core/errors.rb
CHANGED
@@ -16,10 +16,10 @@ module Aws
|
|
16
16
|
# @param [Aws::Structure] data
|
17
17
|
def initialize(context, message, data = Aws::EmptyStructure.new)
|
18
18
|
@code = self.class.code
|
19
|
-
@message = message if message && !message.empty?
|
20
19
|
@context = context
|
21
20
|
@data = data
|
22
|
-
|
21
|
+
@message = message && !message.empty? ? message : self.class
|
22
|
+
super(@message)
|
23
23
|
end
|
24
24
|
|
25
25
|
# @return [String]
|
@@ -207,6 +207,9 @@ module Aws
|
|
207
207
|
# payload with either invalid version number or malformed contents
|
208
208
|
class InvalidProcessCredentialsPayload < RuntimeError; end
|
209
209
|
|
210
|
+
# Raised when SSO Credentials are invalid
|
211
|
+
class InvalidSSOCredentials < RuntimeError; end
|
212
|
+
|
210
213
|
# Raised when a client is constructed and region is not specified.
|
211
214
|
class MissingRegionError < ArgumentError
|
212
215
|
def initialize(*args)
|
@@ -49,8 +49,8 @@ module Aws
|
|
49
49
|
module PageableResponse
|
50
50
|
|
51
51
|
def self.extended(base)
|
52
|
-
base.
|
53
|
-
base.
|
52
|
+
base.extend Enumerable
|
53
|
+
base.extend UnsafeEnumerableMethods
|
54
54
|
base.instance_variable_set("@last_page", nil)
|
55
55
|
base.instance_variable_set("@more_results", nil)
|
56
56
|
end
|
@@ -30,13 +30,28 @@ following classes:
|
|
30
30
|
* `Aws::Credentials` - Used for configuring static, non-refreshing
|
31
31
|
credentials.
|
32
32
|
|
33
|
+
* `Aws::SharedCredentials` - Used for loading static credentials from a
|
34
|
+
shared file, such as `~/.aws/config`.
|
35
|
+
|
36
|
+
* `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
|
37
|
+
|
38
|
+
* `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
|
39
|
+
assume a role after providing credentials via the web.
|
40
|
+
|
41
|
+
* `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
|
42
|
+
access token generated from `aws login`.
|
43
|
+
|
44
|
+
* `Aws::ProcessCredentials` - Used for loading credentials from a
|
45
|
+
process that outputs to stdout.
|
46
|
+
|
33
47
|
* `Aws::InstanceProfileCredentials` - Used for loading credentials
|
34
48
|
from an EC2 IMDS on an EC2 instance.
|
35
49
|
|
36
|
-
* `Aws::
|
37
|
-
|
50
|
+
* `Aws::ECSCredentials` - Used for loading credentials from
|
51
|
+
instances running in ECS.
|
38
52
|
|
39
|
-
* `Aws::
|
53
|
+
* `Aws::CognitoIdentityCredentials` - Used for loading credentials
|
54
|
+
from the Cognito Identity service.
|
40
55
|
|
41
56
|
When `:credentials` are not configured directly, the following
|
42
57
|
locations will be searched for credentials:
|
@@ -46,10 +61,10 @@ locations will be searched for credentials:
|
|
46
61
|
* ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
|
47
62
|
* `~/.aws/credentials`
|
48
63
|
* `~/.aws/config`
|
49
|
-
* EC2 IMDS instance profile - When used by default, the timeouts
|
50
|
-
very aggressive. Construct and pass an instance of
|
51
|
-
`Aws::InstanceProfileCredentails`
|
52
|
-
timeouts.
|
64
|
+
* EC2/ECS IMDS instance profile - When used by default, the timeouts
|
65
|
+
are very aggressive. Construct and pass an instance of
|
66
|
+
`Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
67
|
+
enable retries and extended timeouts.
|
53
68
|
DOCS
|
54
69
|
) do |config|
|
55
70
|
CredentialProviderChain.new(config).resolve
|
@@ -15,17 +15,18 @@ to default service endpoint when available.
|
|
15
15
|
)
|
16
16
|
|
17
17
|
def add_handlers(handlers, config)
|
18
|
-
|
19
|
-
handlers.add(Handler, priority: 90)
|
20
|
-
end
|
18
|
+
handlers.add(Handler, priority: 10)
|
21
19
|
end
|
22
20
|
|
23
21
|
class Handler < Seahorse::Client::Handler
|
24
22
|
|
25
23
|
def call(context)
|
26
|
-
|
27
|
-
|
28
|
-
|
24
|
+
if context.config.regional_endpoint &&
|
25
|
+
!context.config.disable_host_prefix_injection
|
26
|
+
endpoint_trait = context.operation.endpoint_pattern
|
27
|
+
if endpoint_trait && !endpoint_trait.empty?
|
28
|
+
_apply_endpoint_trait(context, endpoint_trait)
|
29
|
+
end
|
29
30
|
end
|
30
31
|
@handler.call(context)
|
31
32
|
end
|