aws-sdk-core 3.104.4 → 3.111.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (40) hide show
  1. checksums.yaml +4 -4
  2. data/VERSION +1 -1
  3. data/lib/aws-sdk-core.rb +7 -3
  4. data/lib/aws-sdk-core/arn.rb +13 -0
  5. data/lib/aws-sdk-core/credential_provider_chain.rb +19 -0
  6. data/lib/aws-sdk-core/ec2_metadata.rb +218 -0
  7. data/lib/aws-sdk-core/errors.rb +5 -2
  8. data/lib/aws-sdk-core/json/json_engine.rb +3 -3
  9. data/lib/aws-sdk-core/json/oj_engine.rb +3 -3
  10. data/lib/aws-sdk-core/pageable_response.rb +2 -2
  11. data/lib/aws-sdk-core/plugins/credentials_configuration.rb +22 -7
  12. data/lib/aws-sdk-core/plugins/endpoint_pattern.rb +7 -6
  13. data/lib/aws-sdk-core/plugins/regional_endpoint.rb +1 -1
  14. data/lib/aws-sdk-core/plugins/retry_errors.rb +4 -3
  15. data/lib/aws-sdk-core/shared_config.rb +33 -0
  16. data/lib/aws-sdk-core/sso_credentials.rb +132 -0
  17. data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +1 -1
  18. data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +0 -2
  19. data/lib/aws-sdk-core/xml/builder.rb +1 -1
  20. data/lib/aws-sdk-core/xml/parser.rb +5 -0
  21. data/lib/aws-sdk-core/xml/parser/engines/rexml.rb +8 -0
  22. data/lib/aws-sdk-sso.rb +55 -0
  23. data/lib/aws-sdk-sso/client.rb +548 -0
  24. data/lib/aws-sdk-sso/client_api.rb +190 -0
  25. data/lib/aws-sdk-sso/customizations.rb +1 -0
  26. data/lib/aws-sdk-sso/errors.rb +102 -0
  27. data/lib/aws-sdk-sso/plugins/content_type.rb +25 -0
  28. data/lib/aws-sdk-sso/resource.rb +26 -0
  29. data/lib/aws-sdk-sso/types.rb +352 -0
  30. data/lib/aws-sdk-sts.rb +7 -2
  31. data/lib/aws-sdk-sts/client.rb +24 -9
  32. data/lib/aws-sdk-sts/client_api.rb +1 -0
  33. data/lib/aws-sdk-sts/types.rb +2 -2
  34. data/lib/seahorse/client/h2/connection.rb +1 -2
  35. data/lib/seahorse/client/net_http/handler.rb +2 -1
  36. data/lib/seahorse/client/plugins/h2.rb +4 -1
  37. data/lib/seahorse/client/plugins/net_http.rb +4 -1
  38. data/lib/seahorse/client/plugins/response_target.rb +0 -1
  39. data/lib/seahorse/util.rb +6 -1
  40. metadata +12 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 680ba60978f23c0aa45dd61bded4e7f2cc89b45e4edb3604f4ccfe906b5b2e94
4
- data.tar.gz: d0332b0ee610e3941c61350863bf49849a24a9ba7ce40e539fca8bf89ad9506b
3
+ metadata.gz: 282f18d47c64542b150b414e2c5bffc94b94edf011b9504c79687ac23adc13e6
4
+ data.tar.gz: c70ec81b05022177b2ceecfdd7d332c17b69028bb8a8babe42f9646e16167742
5
5
  SHA512:
6
- metadata.gz: 792e9f570ce9179c26e49265fb2ddc3fbbffa545516dbf69503f5402c6ab036157645c459324ab72be0b217d0f2ae92e97c9cb7e5534f4328d89565a437b0521
7
- data.tar.gz: 6480bf69a614e7c8f8e2b3bad0065cf9b50772c24b5e4afdf95b7c1895d1f013d05f4232de50d988bb0ff536f8bb86dd45ad1d9b4a8aa37ca2ced320932db13e
6
+ metadata.gz: a7576e33d28306590206c7a45092f5b41c8ce002a51c4745608c4aa0ca4dba76830d69546f3ffdaa321dae51d3456d2894d090e0cde1243ada25b4ae4648c701
7
+ data.tar.gz: 36ba0115844053b24f8465368532768fef87c28d6abacbe82eab99178661f95b4cc1d1dc52b3a7724092bd72cfa983a1d03e50b25241534a8e9ec067e2c9b43b
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.104.4
1
+ 3.111.2
@@ -18,6 +18,7 @@ require_relative 'aws-sdk-core/ecs_credentials'
18
18
  require_relative 'aws-sdk-core/instance_profile_credentials'
19
19
  require_relative 'aws-sdk-core/shared_credentials'
20
20
  require_relative 'aws-sdk-core/process_credentials'
21
+ require_relative 'aws-sdk-core/sso_credentials'
21
22
 
22
23
  # client modules
23
24
 
@@ -81,14 +82,17 @@ require_relative 'aws-sdk-core/endpoint_cache'
81
82
  require_relative 'aws-sdk-core/client_side_monitoring/request_metrics'
82
83
  require_relative 'aws-sdk-core/client_side_monitoring/publisher'
83
84
 
84
- # arn
85
+ # utilities
85
86
 
86
87
  require_relative 'aws-sdk-core/arn'
87
88
  require_relative 'aws-sdk-core/arn_parser'
89
+ require_relative 'aws-sdk-core/ec2_metadata'
88
90
 
89
- # aws-sdk-sts is vendored to support Aws::AssumeRoleCredentials
91
+ # aws-sdk-sts is included to support Aws::AssumeRoleCredentials
92
+ require_relative 'aws-sdk-sts'
90
93
 
91
- require 'aws-sdk-sts'
94
+ # aws-sdk-sso is included to support Aws::SSOCredentials
95
+ require_relative 'aws-sdk-sso'
92
96
 
93
97
  module Aws
94
98
 
@@ -75,5 +75,18 @@ module Aws
75
75
  def to_s
76
76
  "arn:#{partition}:#{service}:#{region}:#{account_id}:#{resource}"
77
77
  end
78
+
79
+ # Return the ARN as a hash
80
+ #
81
+ # @return [Hash]
82
+ def to_h
83
+ {
84
+ partition: @partition,
85
+ service: @service,
86
+ region: @region,
87
+ account_id: @account_id,
88
+ resource: @resource
89
+ }
90
+ end
78
91
  end
79
92
  end
@@ -22,11 +22,13 @@ module Aws
22
22
  [
23
23
  [:static_credentials, {}],
24
24
  [:static_profile_assume_role_web_identity_credentials, {}],
25
+ [:static_profile_sso_credentials, {}],
25
26
  [:static_profile_assume_role_credentials, {}],
26
27
  [:static_profile_credentials, {}],
27
28
  [:static_profile_process_credentials, {}],
28
29
  [:env_credentials, {}],
29
30
  [:assume_role_web_identity_credentials, {}],
31
+ [:sso_credentials, {}],
30
32
  [:assume_role_credentials, {}],
31
33
  [:shared_credentials, {}],
32
34
  [:process_credentials, {}],
@@ -57,6 +59,14 @@ module Aws
57
59
  end
58
60
  end
59
61
 
62
+ def static_profile_sso_credentials(options)
63
+ if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
64
+ Aws.shared_config.sso_credentials_from_config(
65
+ profile: options[:config].profile
66
+ )
67
+ end
68
+ end
69
+
60
70
  def static_profile_assume_role_credentials(options)
61
71
  if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
62
72
  assume_role_with_profile(options, options[:config].profile)
@@ -115,6 +125,15 @@ module Aws
115
125
  nil
116
126
  end
117
127
 
128
+ def sso_credentials(options)
129
+ profile_name = determine_profile_name(options)
130
+ if Aws.shared_config.config_enabled?
131
+ Aws.shared_config.sso_credentials_from_config(profile: profile_name)
132
+ end
133
+ rescue Errors::NoSuchProfileError
134
+ nil
135
+ end
136
+
118
137
  def assume_role_credentials(options)
119
138
  if Aws.shared_config.config_enabled?
120
139
  assume_role_with_profile(options, determine_profile_name(options))
@@ -0,0 +1,218 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'time'
4
+ require 'net/http'
5
+
6
+ module Aws
7
+ # A client that can query version 2 of the EC2 Instance Metadata
8
+ class EC2Metadata
9
+ # Path for PUT request for token
10
+ # @api private
11
+ METADATA_TOKEN_PATH = '/latest/api/token'.freeze
12
+
13
+ # Raised when the PUT request is not valid. This would be thrown if
14
+ # `token_ttl` is not an Integer.
15
+ # @api private
16
+ class TokenRetrievalError < RuntimeError; end
17
+
18
+ # Token has expired, and the request can be retried with a new token.
19
+ # @api private
20
+ class TokenExpiredError < RuntimeError; end
21
+
22
+ # The requested metadata path does not exist.
23
+ # @api private
24
+ class MetadataNotFoundError < RuntimeError; end
25
+
26
+ # The request is not allowed or IMDS is turned off.
27
+ # @api private
28
+ class RequestForbiddenError < RuntimeError; end
29
+
30
+ # Creates a client that can query version 2 of the EC2 Instance Metadata
31
+ # service (IMDS).
32
+ #
33
+ # @note Customers using containers may need to increase their hop limit
34
+ # to access IMDSv2.
35
+ # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html#instance-metadata-transition-to-version-2
36
+ #
37
+ # @param [Hash] options
38
+ # @option options [Integer] :token_ttl (21600) The session token's TTL,
39
+ # defaulting to 6 hours.
40
+ # @option options [Integer] :retries (3) The number of retries for failed
41
+ # requests.
42
+ # @option options [String] :endpoint (169.254.169.254) The IMDS endpoint.
43
+ # @option options [Integer] :port (80) The IMDS endpoint port.
44
+ # @option options [Integer] :http_open_timeout (1) The number of seconds to
45
+ # wait for the connection to open.
46
+ # @option options [Integer] :http_read_timeout (1) The number of seconds for
47
+ # one chunk of data to be read.
48
+ # @option options [IO] :http_debug_output An output stream for debugging. Do
49
+ # not use this in production.
50
+ # @option options [Integer,Proc] :backoff A backoff used for retryable
51
+ # requests. When given an Integer, it sleeps that amount. When given a
52
+ # Proc, it is called with the current number of failed retries.
53
+ def initialize(options = {})
54
+ @token_ttl = options[:token_ttl] || 21_600
55
+ @retries = options[:retries] || 3
56
+ @backoff = backoff(options[:backoff])
57
+
58
+ @endpoint = options[:endpoint] || '169.254.169.254'
59
+ @port = options[:port] || 80
60
+
61
+ @http_open_timeout = options[:http_open_timeout] || 1
62
+ @http_read_timeout = options[:http_read_timeout] || 1
63
+ @http_debug_output = options[:http_debug_output]
64
+
65
+ @token = nil
66
+ @mutex = Mutex.new
67
+ end
68
+
69
+ # Fetches a given metadata category using a String path, and returns the
70
+ # result as a String. A path starts with the API version (usually
71
+ # "/latest/"). See the instance data categories for possible paths.
72
+ #
73
+ # @example Fetching the instance ID
74
+ #
75
+ # ec2_metadata = Aws::EC2Metadata.new
76
+ # ec2_metadata.get('/latest/meta-data/instance-id')
77
+ # => "i-023a25f10a73a0f79"
78
+ #
79
+ # @Note This implementation always returns a String and will not parse any
80
+ # responses. Parsable responses may include JSON objects or directory
81
+ # listings, which are strings separated by line feeds (ASCII 10).
82
+ #
83
+ # @example Fetching and parsing JSON meta-data
84
+ #
85
+ # require 'json'
86
+ # data = ec2_metadata.get('/latest/dynamic/instance-identity/document')
87
+ # JSON.parse(data)
88
+ # => {"accountId"=>"012345678912", ... }
89
+ #
90
+ # @example Fetching and parsing directory listings
91
+ #
92
+ # listing = ec2_metadata.get('/latest/meta-data')
93
+ # listing.split(10.chr)
94
+ # => ["ami-id", "ami-launch-index", ...]
95
+ #
96
+ # @Note Unlike other services, IMDS does not have a service API model. This
97
+ # means that we cannot confidently generate code with methods and
98
+ # response structures. This implementation ensures that new IMDS features
99
+ # are always supported by being deployed to the instance and does not
100
+ # require code changes.
101
+ #
102
+ # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html
103
+ # @see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
104
+ # @param [String] path The full path to the metadata.
105
+ def get(path)
106
+ retry_errors(max_retries: @retries) do
107
+ @mutex.synchronize do
108
+ fetch_token unless @token && !@token.expired?
109
+ end
110
+
111
+ open_connection do |conn|
112
+ http_get(conn, path, @token.value)
113
+ end
114
+ end
115
+ end
116
+
117
+ private
118
+
119
+ def fetch_token
120
+ open_connection do |conn|
121
+ token_value, token_ttl = http_put(conn, @token_ttl)
122
+ @token = Token.new(value: token_value, ttl: token_ttl)
123
+ end
124
+ end
125
+
126
+ def http_get(connection, path, token)
127
+ headers = {
128
+ 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
129
+ 'x-aws-ec2-metadata-token' => token
130
+ }
131
+ request = Net::HTTP::Get.new(path, headers)
132
+ response = connection.request(request)
133
+
134
+ case response.code.to_i
135
+ when 200
136
+ response.body
137
+ when 401
138
+ raise TokenExpiredError
139
+ when 404
140
+ raise MetadataNotFoundError
141
+ end
142
+ end
143
+
144
+ def http_put(connection, ttl)
145
+ headers = {
146
+ 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
147
+ 'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
148
+ }
149
+ request = Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers)
150
+ response = connection.request(request)
151
+
152
+ case response.code.to_i
153
+ when 200
154
+ [
155
+ response.body,
156
+ response.header['x-aws-ec2-metadata-token-ttl-seconds'].to_i
157
+ ]
158
+ when 400
159
+ raise TokenRetrievalError
160
+ when 403
161
+ raise RequestForbiddenError
162
+ end
163
+ end
164
+
165
+ def open_connection
166
+ http = Net::HTTP.new(@endpoint, @port, nil)
167
+ http.open_timeout = @http_open_timeout
168
+ http.read_timeout = @http_read_timeout
169
+ http.set_debug_output(@http_debug_output) if @http_debug_output
170
+ http.start
171
+ yield(http).tap { http.finish }
172
+ end
173
+
174
+ def retry_errors(options = {}, &_block)
175
+ max_retries = options[:max_retries]
176
+ retries = 0
177
+ begin
178
+ yield
179
+ # These errors should not be retried.
180
+ rescue TokenRetrievalError, MetadataNotFoundError, RequestForbiddenError
181
+ raise
182
+ # StandardError is not ideal but it covers Net::HTTP errors.
183
+ # https://gist.github.com/tenderlove/245188
184
+ rescue StandardError, TokenExpiredError
185
+ raise unless retries < max_retries
186
+
187
+ @backoff.call(retries)
188
+ retries += 1
189
+ retry
190
+ end
191
+ end
192
+
193
+ def backoff(backoff)
194
+ case backoff
195
+ when Proc then backoff
196
+ when Numeric then ->(_) { Kernel.sleep(backoff) }
197
+ else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
198
+ end
199
+ end
200
+
201
+ # @api private
202
+ class Token
203
+ def initialize(options = {})
204
+ @ttl = options[:ttl]
205
+ @value = options[:value]
206
+ @created_time = Time.now
207
+ end
208
+
209
+ # [String] Returns the token value.
210
+ attr_reader :value
211
+
212
+ # [Boolean] Returns true if the token expired.
213
+ def expired?
214
+ Time.now - @created_time > @ttl
215
+ end
216
+ end
217
+ end
218
+ end
@@ -16,10 +16,10 @@ module Aws
16
16
  # @param [Aws::Structure] data
17
17
  def initialize(context, message, data = Aws::EmptyStructure.new)
18
18
  @code = self.class.code
19
- @message = message if message && !message.empty?
20
19
  @context = context
21
20
  @data = data
22
- super(message)
21
+ @message = message && !message.empty? ? message : self.class
22
+ super(@message)
23
23
  end
24
24
 
25
25
  # @return [String]
@@ -207,6 +207,9 @@ module Aws
207
207
  # payload with either invalid version number or malformed contents
208
208
  class InvalidProcessCredentialsPayload < RuntimeError; end
209
209
 
210
+ # Raised when SSO Credentials are invalid
211
+ class InvalidSSOCredentials < RuntimeError; end
212
+
210
213
  # Raised when a client is constructed and region is not specified.
211
214
  class MissingRegionError < ArgumentError
212
215
  def initialize(*args)
@@ -2,14 +2,14 @@
2
2
 
3
3
  module Aws
4
4
  module Json
5
- class OjEngine
5
+ class JSONEngine
6
6
 
7
7
  def self.load(json)
8
- Oj.load(json)
8
+ JSON.load(json)
9
9
  end
10
10
 
11
11
  def self.dump(value)
12
- Oj.dump(value)
12
+ JSON.dump(value)
13
13
  end
14
14
 
15
15
  end
@@ -2,14 +2,14 @@
2
2
 
3
3
  module Aws
4
4
  module Json
5
- class JSONEngine
5
+ class OjEngine
6
6
 
7
7
  def self.load(json)
8
- JSON.load(json)
8
+ Oj.load(json)
9
9
  end
10
10
 
11
11
  def self.dump(value)
12
- JSON.dump(value)
12
+ Oj.dump(value)
13
13
  end
14
14
 
15
15
  end
@@ -49,8 +49,8 @@ module Aws
49
49
  module PageableResponse
50
50
 
51
51
  def self.extended(base)
52
- base.send(:extend, Enumerable)
53
- base.send(:extend, UnsafeEnumerableMethods)
52
+ base.extend Enumerable
53
+ base.extend UnsafeEnumerableMethods
54
54
  base.instance_variable_set("@last_page", nil)
55
55
  base.instance_variable_set("@more_results", nil)
56
56
  end
@@ -30,13 +30,28 @@ following classes:
30
30
  * `Aws::Credentials` - Used for configuring static, non-refreshing
31
31
  credentials.
32
32
 
33
+ * `Aws::SharedCredentials` - Used for loading static credentials from a
34
+ shared file, such as `~/.aws/config`.
35
+
36
+ * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
37
+
38
+ * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
39
+ assume a role after providing credentials via the web.
40
+
41
+ * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
42
+ access token generated from `aws login`.
43
+
44
+ * `Aws::ProcessCredentials` - Used for loading credentials from a
45
+ process that outputs to stdout.
46
+
33
47
  * `Aws::InstanceProfileCredentials` - Used for loading credentials
34
48
  from an EC2 IMDS on an EC2 instance.
35
49
 
36
- * `Aws::SharedCredentials` - Used for loading credentials from a
37
- shared file, such as `~/.aws/config`.
50
+ * `Aws::ECSCredentials` - Used for loading credentials from
51
+ instances running in ECS.
38
52
 
39
- * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
53
+ * `Aws::CognitoIdentityCredentials` - Used for loading credentials
54
+ from the Cognito Identity service.
40
55
 
41
56
  When `:credentials` are not configured directly, the following
42
57
  locations will be searched for credentials:
@@ -46,10 +61,10 @@ locations will be searched for credentials:
46
61
  * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
47
62
  * `~/.aws/credentials`
48
63
  * `~/.aws/config`
49
- * EC2 IMDS instance profile - When used by default, the timeouts are
50
- very aggressive. Construct and pass an instance of
51
- `Aws::InstanceProfileCredentails` to enable retries and extended
52
- timeouts.
64
+ * EC2/ECS IMDS instance profile - When used by default, the timeouts
65
+ are very aggressive. Construct and pass an instance of
66
+ `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
67
+ enable retries and extended timeouts.
53
68
  DOCS
54
69
  ) do |config|
55
70
  CredentialProviderChain.new(config).resolve
@@ -15,17 +15,18 @@ to default service endpoint when available.
15
15
  )
16
16
 
17
17
  def add_handlers(handlers, config)
18
- if config.regional_endpoint && !config.disable_host_prefix_injection
19
- handlers.add(Handler, priority: 90)
20
- end
18
+ handlers.add(Handler, priority: 10)
21
19
  end
22
20
 
23
21
  class Handler < Seahorse::Client::Handler
24
22
 
25
23
  def call(context)
26
- endpoint_trait = context.operation.endpoint_pattern
27
- if endpoint_trait && !endpoint_trait.empty?
28
- _apply_endpoint_trait(context, endpoint_trait)
24
+ if context.config.regional_endpoint &&
25
+ !context.config.disable_host_prefix_injection
26
+ endpoint_trait = context.operation.endpoint_pattern
27
+ if endpoint_trait && !endpoint_trait.empty?
28
+ _apply_endpoint_trait(context, endpoint_trait)
29
+ end
29
30
  end
30
31
  @handler.call(context)
31
32
  end