aws-sdk-core 3.117.0 → 3.197.2

data/lib/aws-sdk-core/rest/response/header_list_parser.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'strscan'
+
+module Aws
+  module Rest
+    module Response
+      # @api private
+      module HeaderListParser
+
+        class << self
+          # parse a list of possibly quoted and escaped string values
+          # Follows:
+          # # [RFC-7230's specification of header values](https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6).
+          def parse_string_list(value)
+            buffer = StringScanner.new(value)
+            parsed = []
+
+            parsed << read_value(buffer) until buffer.eos?
+
+            parsed
+          end
+
+          def parse_timestamp_list(value, ref)
+            # timestamp lists use an http-date by default and are unescaped
+            # eg: Mon, 16 Dec 2019 23:48:18 GMT, Mon, 16 Dec 2019 23:48:18 GMT
+            case ref['timestampFormat'] || ref.shape['timestampFormat']
+            when 'unixTimestamp'
+              value.split(', ').map { |v| Time.at(v.to_f) }
+            when 'iso8601' then value.split(', ').map { |v| Time.parse(v) }
+            else
+              # header default to rfc822/http-date, which has a comma after day
+              value.split(',').each_slice(2).map { |v| Time.parse(v[0] + v[1])}
+            end
+          end
+
+          private
+
+          def read_value(buffer)
+            until buffer.eos?
+              case buffer.peek(1)
+              when ' ', "\t"
+                # drop leading whitespace
+                buffer.getch
+                next
+              when '"'
+                buffer.getch # drop the quote and advance
+                return read_quoted_value(buffer)
+              else
+                return read_unquoted_value(buffer)
+              end
+            end
+            # buffer is only whitespace
+            nil
+          end
+
+          def read_unquoted_value(buffer)
+            # there cannot be any escaped values
+            value = buffer.scan_until(/,|$/)
+            # drop the comma if we matched it
+            buffer.matched == ',' ? value.chop : value
+          end
+
+          def read_quoted_value(buffer)
+            # scan until we have an unescaped double quote
+            value = buffer.scan_until(/[^\\]"/)
+            raise ArgumentError, 'Invalid String list: No closing quote found' unless value
+
+            # drop any remaining whitespace/commas
+            buffer.scan_until(/[\s,]*/)
+            # the last character will always be the closing quote.
+            # Add a starting quote  and then unescape (undump)
+            "\"#{value}".undump
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/rest/response/headers.rb

@@ -2,6 +2,7 @@
 
 require 'time'
 require 'base64'
+require_relative 'header_list_parser'
 
 module Aws
   module Rest
@@ -36,12 +37,18 @@ module Aws
         def cast_value(ref, value)
           value = extract_json_trait(value) if ref['jsonvalue']
           case ref.shape
-          when StringShape then value
+          when StringShape then value.to_s
           when IntegerShape then value.to_i
-          when FloatShape then value.to_f
+          when FloatShape then Util.deserialize_number(value)
           when BooleanShape then value == 'true'
+          when ListShape then
+            case ref.shape.member.shape
+            when StringShape then HeaderListParser.parse_string_list(value)
+            when TimestampShape then HeaderListParser.parse_timestamp_list(value, ref.shape.member)
+            else value.split(', ').map { |v| cast_value(ref.shape.member, v) }
+            end
           when TimestampShape
-            if value =~ /\d+(\.\d*)/
+            if value =~ /^\d+(\.\d*)/
               Time.at(value.to_f)
             elsif value =~ /^\d+$/
               Time.at(value.to_i)

data/lib/aws-sdk-core/rest.rb

@@ -6,6 +6,7 @@ require_relative 'rest/request/builder'
 require_relative 'rest/request/endpoint'
 require_relative 'rest/request/headers'
 require_relative 'rest/request/querystring_builder'
+require_relative 'rest/request/content_type'
 require_relative 'rest/response/body'
 require_relative 'rest/response/headers'
 require_relative 'rest/response/parser'

data/lib/aws-sdk-core/shared_config.rb

@@ -3,7 +3,11 @@
 module Aws
   # @api private
   class SharedConfig
-    SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_CREDENTIAL_PROFILE_KEYS = %w[sso_account_id sso_role_name].freeze
+    SSO_PROFILE_KEYS = %w[sso_session sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
+    SSO_SESSION_KEYS = %w[sso_region sso_start_url].freeze
+
 
     # @return [String]
     attr_reader :credentials_path
@@ -51,10 +55,12 @@ module Aws
       @config_enabled = options[:config_enabled]
       @credentials_path = options[:credentials_path] ||
                           determine_credentials_path
+      @credentials_path = File.expand_path(@credentials_path) if @credentials_path
       @parsed_credentials = {}
       load_credentials_file if loadable?(@credentials_path)
       if @config_enabled
         @config_path = options[:config_path] || determine_config_path
+        @config_path = File.expand_path(@config_path) if @config_path
         load_config_file if loadable?(@config_path)
       end
     end
@@ -100,7 +106,7 @@ module Aws
     #   or `nil` if no valid credentials were found.
     def credentials(opts = {})
       p = opts[:profile] || @profile_name
-      validate_profile_exists(p) if credentials_present?
+      validate_profile_exists(p)
       if (credentials = credentials_from_shared(p, opts))
         credentials
       elsif (credentials = credentials_from_config(p, opts))
@@ -149,6 +155,38 @@ module Aws
       credentials
     end
 
+    # Attempts to load from shared config or shared credentials file.
+    # Will always attempt first to load from the shared credentials
+    # file, if present.
+    def sso_token_from_config(opts = {})
+      p = opts[:profile] || @profile_name
+      token = sso_token_from_profile(@parsed_credentials, p)
+      if @parsed_config
+        token ||= sso_token_from_profile(@parsed_config, p)
+      end
+      token
+    end
+
+    # Source a custom configured endpoint from the shared configuration file
+    #
+    # @param [Hash] opts
+    # @option opts [String] :profile
+    # @option opts [String] :service_id
+    def configured_endpoint(opts = {})
+      # services section is only allowed in the shared config file (not credentials)
+      profile = opts[:profile] || @profile_name
+      service_id = opts[:service_id]&.gsub(" ", "_")&.downcase
+      if @parsed_config && (prof_config = @parsed_config[profile])
+        services_section_name = prof_config['services']
+        if (services_config = @parsed_config["services #{services_section_name}"]) &&
+          (service_config = services_config[service_id])
+          return service_config['endpoint_url'] if service_config['endpoint_url']
+        end
+        return prof_config['endpoint_url']
+      end
+      nil
+    end
+
     # Add an accessor method (similar to attr_reader) to return a configuration value
     # Uses the get_config_value below to control where
     # values are loaded from
@@ -163,8 +201,11 @@ module Aws
       :ca_bundle,
       :credential_process,
       :endpoint_discovery_enabled,
+      :use_dualstack_endpoint,
+      :use_fips_endpoint,
       :ec2_metadata_service_endpoint,
       :ec2_metadata_service_endpoint_mode,
+      :ec2_metadata_v1_disabled,
       :max_attempts,
       :retry_mode,
       :adaptive_retry_wait_to_fill,
@@ -175,7 +216,14 @@ module Aws
       :csm_port,
       :sts_regional_endpoints,
       :s3_use_arn_region,
-      :s3_us_east_1_regional_endpoint
+      :s3_us_east_1_regional_endpoint,
+      :s3_disable_multiregion_access_points,
+      :s3_disable_express_session_auth,
+      :defaults_mode,
+      :sdk_ua_app_id,
+      :disable_request_compression,
+      :request_min_compression_size_bytes,
+      :ignore_configured_endpoint_urls
     )
 
     private
@@ -191,11 +239,6 @@ module Aws
       value
     end
 
-    def credentials_present?
-      (@parsed_credentials && !@parsed_credentials.empty?) ||
-        (@parsed_config && !@parsed_config.empty?)
-    end
-
     def assume_role_from_profile(cfg, profile, opts, chain_config)
       if cfg && prof_cfg = cfg[profile]
         opts[:source_profile] ||= prof_cfg['source_profile']
@@ -315,13 +358,53 @@ module Aws
     def sso_credentials_from_profile(cfg, profile)
       if @parsed_config &&
          (prof_config = cfg[profile]) &&
-         !(prof_config.keys & SSO_PROFILE_KEYS).empty?
+         !(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
+
+        if sso_session_name = prof_config['sso_session']
+          sso_session = sso_session(cfg, profile, sso_session_name)
+
+          sso_region = sso_session['sso_region']
+          sso_start_url = sso_session['sso_start_url']
+
+          # validate sso_region and sso_start_url don't conflict if set on profile and session
+          if prof_config['sso_region'] &&  prof_config['sso_region'] != sso_region
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_region (#{sso_region}) " \
+                    "does not match the profile #{profile}'s sso_region (#{prof_config['sso_region']}'"
+          end
+          if prof_config['sso_start_url'] &&  prof_config['sso_start_url'] != sso_start_url
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_start_url (#{sso_start_url}) " \
+                    "does not match the profile #{profile}'s sso_start_url (#{prof_config['sso_start_url']}'"
+          end
+        else
+          sso_region = prof_config['sso_region']
+          sso_start_url = prof_config['sso_start_url']
+        end
 
         SSOCredentials.new(
-          sso_start_url: prof_config['sso_start_url'],
-          sso_region: prof_config['sso_region'],
           sso_account_id: prof_config['sso_account_id'],
-          sso_role_name: prof_config['sso_role_name']
+          sso_role_name: prof_config['sso_role_name'],
+          sso_session: prof_config['sso_session'],
+          sso_region: sso_region,
+          sso_start_url: sso_start_url
+          )
+      end
+    end
+
+    # If the required sso_ profile values are present, attempt to construct
+    # SSOTokenProvider
+    def sso_token_from_profile(cfg, profile)
+      if @parsed_config &&
+        (prof_config = cfg[profile]) &&
+        !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
+
+        sso_session_name = prof_config['sso_session']
+        sso_session = sso_session(cfg, profile, sso_session_name)
+
+        SSOTokenProvider.new(
+          sso_session: sso_session_name,
+          sso_region: sso_session['sso_region']
         )
       end
     end
@@ -375,5 +458,22 @@ module Aws
       ret ||= 'default'
       ret
     end
+
+    def sso_session(cfg, profile, sso_session_name)
+      # aws sso-configure may add quotes around sso session names with whitespace
+      sso_session = cfg["sso-session #{sso_session_name}"] || cfg["sso-session '#{sso_session_name}'"]
+
+      unless sso_session
+        raise ArgumentError,
+          "sso-session #{sso_session_name} must be defined in the config file. " \
+                    "Referenced by profile #{profile}"
+      end
+
+      unless sso_session['sso_region']
+        raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+      end
+
+      sso_session
+    end
   end
 end

data/lib/aws-sdk-core/sso_credentials.rb

@@ -1,45 +1,37 @@
 # frozen_string_literal: true
 
 module Aws
-  # An auto-refreshing credential provider that works by assuming a
-  # role via {Aws::SSO::Client#get_role_credentials} using a cached access
-  # token.  This class does NOT implement the SSO login token flow - tokens
-  # must generated and refreshed separately by running `aws login` from the
-  # AWS CLI with the correct profile.
-  #
-  # For more background on AWS SSO see the official
-  # {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
-  #
-  # ## Refreshing Credentials from SSO
-  #
-  # The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
-  # addition to AWS credentials expiring after a given amount of time, the
-  # access token generated and cached from `aws login` will also expire.
-  # Once this token expires, it will not be usable to refresh AWS credentials,
-  # and another token will be needed. The SDK does not manage refreshing of
-  # the token value, but this can be done by running `aws login` with the
-  # correct profile.
-  #
+  # An auto-refreshing credential provider that assumes a role via
+  # {Aws::SSO::Client#get_role_credentials} using a cached access
+  # token. When `sso_session` is specified, token refresh logic from
+  # {Aws::SSOTokenProvider} will be used to refresh the token if possible.
+  # This class does NOT implement the SSO login token flow - tokens
+  # must generated separately by running `aws login` from the
+  # AWS CLI with the correct profile. The `SSOCredentials` will
+  # auto-refresh the AWS credentials from SSO.
   #
   #     # You must first run aws sso login --profile your-sso-profile
   #     sso_credentials = Aws::SSOCredentials.new(
   #       sso_account_id: '123456789',
   #       sso_role_name: "role_name",
   #       sso_region: "us-east-1",
-  #       sso_start_url: 'https://your-start-url.awsapps.com/start'
+  #       sso_session: 'my_sso_session'
   #     )
-  #
   #     ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
   #
-  # If you omit `:client` option, a new {SSO::Client} object will be
-  # constructed.
+  # If you omit `:client` option, a new {Aws::SSO::Client} object will be
+  # constructed with additional options that were provided.
+  #
+  # @see Aws::SSO::Client#get_role_credentials
+  # @see https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
   class SSOCredentials
 
     include CredentialProvider
     include RefreshingCredentials
 
     # @api private
-    SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
+    LEGACY_REQUIRED_OPTS =         [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
+    TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
 
     # @api private
     SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
@@ -49,38 +41,79 @@ module Aws
     # @option options [required, String] :sso_account_id The AWS account ID
     #   that temporary AWS credentials will be resolved for
     #
-    # @option options [required, String] :sso_region The AWS region where the
-    #   SSO directory for the given sso_start_url is hosted.
-    #
     # @option options [required, String] :sso_role_name The corresponding
     #   IAM role in the AWS account that temporary AWS credentials
     #   will be resolved for.
     #
-    # @option options [required, String] :sso_start_url The start URL is
-    #   provided by the SSO service via the console and is the URL used to
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [String] :sso_session The SSO Token used for fetching
+    #   the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
+    #   will be used.
+    #
+    # @option options [String] :sso_start_url (legacy profiles) If provided,
+    #   legacy token fetch behavior will be used, which does not support
+    #   token refreshing.  The start URL is provided by the SSO
+    #   service via the console and is the URL used to
     #   login to the SSO directory. This is also sometimes referred to as
-    #   the "User Portal URL"
+    #   the "User Portal URL".
     #
     # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
     #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
+      options = options.select {|k, v| !v.nil? }
+      if (options[:sso_session])
+        missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = false
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
 
-      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
-      unless missing_keys.empty?
-        raise ArgumentError, "Missing required keys: #{missing_keys}"
-      end
+        # if client has been passed, don't pass through to SSOTokenProvider
+        @client = options.delete(:client)
+        options.delete(:sso_start_url)
+        @token_provider = Aws::SSOTokenProvider.new(options.dup)
+        @sso_session = options.delete(:sso_session)
+        @sso_region = options.delete(:sso_region)
+
+        unless @client
+          client_opts = {}
+          options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+          client_opts[:region] = @sso_region
+          client_opts[:credentials] = nil
+          @client = Aws::SSO::Client.new(client_opts)
+        end
+      else # legacy behavior
+        missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = true
+        @sso_start_url = options.delete(:sso_start_url)
+        @sso_region = options.delete(:sso_region)
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
 
-      @sso_start_url = options.delete(:sso_start_url)
-      @sso_region = options.delete(:sso_region)
-      @sso_role_name = options.delete(:sso_role_name)
-      @sso_account_id = options.delete(:sso_account_id)
+        # validate we can read the token file
+        read_cached_token
 
-      # validate we can read the token file
-      read_cached_token
+        client_opts = {}
+        options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+        client_opts[:region] = @sso_region
+        client_opts[:credentials] = nil
+
+        @client = options[:client] || Aws::SSO::Client.new(client_opts)
+      end
 
-      options[:region] = @sso_region
-      options[:credentials] = nil
-      @client = options[:client] || Aws::SSO::Client.new(options)
+      @async_refresh = true
       super
     end
 
@@ -100,24 +133,32 @@ module Aws
         raise ArgumentError, 'Cached SSO Token is expired.'
       end
       cached_token
-    rescue Aws::Json::ParseError, ArgumentError
+    rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
       raise Errors::InvalidSSOCredentials, SSO_LOGIN_GUIDANCE
     end
 
     def refresh
-      cached_token = read_cached_token
-      c = @client.get_role_credentials(
-        account_id: @sso_account_id,
-        role_name: @sso_role_name,
-        access_token: cached_token['accessToken']
-      ).role_credentials
+      c = if @legacy
+            cached_token = read_cached_token
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: cached_token['accessToken']
+            ).role_credentials
+          else
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: @token_provider.token.token
+            ).role_credentials
+          end
 
       @credentials = Credentials.new(
         c.access_key_id,
         c.secret_access_key,
         c.session_token
       )
-      @expiration = c.expiration
+      @expiration = Time.at(c.expiration / 1000.0)
     end
 
     def sso_cache_file

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+module Aws
+  class SSOTokenProvider
+
+    include TokenProvider
+    include RefreshingToken
+
+    # @api private
+    SSO_REQUIRED_OPTS = [:sso_region, :sso_session].freeze
+
+    # @api private
+    SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
+    'expired or is otherwise invalid. To refresh this SSO session run '\
+    'aws sso login with the corresponding profile.'.freeze
+
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [required, String] :sso_session The SSO Session used to
+    #   for fetching this token.
+    #
+    # @option options [SSOOIDC::Client] :client Optional `SSOOIDC::Client`.  If not
+    #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
+    def initialize(options = {})
+
+      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
+      unless missing_keys.empty?
+        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      end
+
+      @sso_session = options.delete(:sso_session)
+      @sso_region = options.delete(:sso_region)
+
+      options[:region] = @sso_region
+      options[:credentials] = nil
+      options[:token_provider] = nil
+      @client = options[:client] || Aws::SSOOIDC::Client.new(options)
+
+      super
+    end
+
+    # @return [SSOOIDC::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # token is valid and not in refresh window - do not refresh it.
+      return if @token && @token.expiration && !near_expiration?
+
+      # token may not exist or is out of the expiration window
+      # attempt to refresh from disk first (another process/application may have refreshed already)
+      token_json = read_cached_token
+      @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+      return if @token && @token.expiration && !near_expiration?
+
+      # The token is expired and needs to be refreshed
+      if can_refresh_token?(token_json)
+        begin
+          current_time = Time.now
+          resp = @client.create_token(
+            grant_type: 'refresh_token',
+            client_id: token_json['clientId'],
+            client_secret: token_json['clientSecret'],
+            refresh_token: token_json['refreshToken']
+          )
+          token_json['accessToken'] = resp.access_token
+          token_json['expiresAt'] = current_time + resp.expires_in
+          @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+
+          if resp.refresh_token
+            token_json['refreshToken'] = resp.refresh_token
+          else
+            token_json.delete('refreshToken')
+          end
+
+          update_token_cache(token_json)
+        rescue
+          # refresh has failed, continue attempting to use the token if its not hard expired
+        end
+      end
+
+      if !@token.expiration || @token.expiration < Time.now
+        # Token is hard expired, raise an exception
+        raise Errors::InvalidSSOToken, 'Token is invalid and failed to refresh.'
+      end
+    end
+
+    def read_cached_token
+      cached_token = Json.load(File.read(sso_cache_file))
+      # validation
+      unless cached_token['accessToken'] && cached_token['expiresAt']
+        raise ArgumentError, 'Missing required field(s)'
+      end
+      cached_token['expiresAt'] = Time.parse(cached_token['expiresAt'])
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
+      raise Errors::InvalidSSOToken, SSO_LOGIN_GUIDANCE
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
+      File.write(sso_cache_file, Json.dump(cached_token))
+    end
+
+    def sso_cache_file
+      sso_session_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_session.encode('utf-8'))
+      File.join(Dir.home, '.aws', 'sso', 'cache', "#{sso_session_sha1}.json")
+    rescue ArgumentError
+      # Dir.home raises ArgumentError when ENV['home'] is not set
+      raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
+    end
+
+    # return true if all required fields are present
+    # return false if registrationExpiresAt exists and is later than now
+    def can_refresh_token?(token_json)
+      if token_json['clientId'] &&
+        token_json['clientSecret'] &&
+        token_json['refreshToken']
+
+        return !token_json['registrationExpiresAt'] ||
+          Time.parse(token_json['registrationExpiresAt']) > Time.now
+      else
+        false
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/static_token_provider.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Aws
+  class StaticTokenProvider
+
+    include TokenProvider
+
+    # @param [String] token
+    # @param [Time] expiration
+    def initialize(token, expiration=nil)
+      @token = Token.new(token, expiration)
+    end
+  end
+end