aws-sdk-core 3.122.1 → 3.125.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 537c37ff87364e7db7df2b499b7e82544a3912b817b32d4b43ae81a32c511f7b
-  data.tar.gz: 7deac3f2493760b46f54ae0f54022878641023f54566af10d56e270ea7590935
+  metadata.gz: def152a91149637981ad2822c07522bf7362d6ac6a654c8debbcd218e40dad54
+  data.tar.gz: 79c65b3a466afca388f13f70ad0f4d2b9d6bba431cc5bd62b631d1c0ca538189
 SHA512:
-  metadata.gz: 63aa35b1adf4d9f660f35af4f174922fe417b9f1124602d493d4fcc90c256e8ffb472489c606746f8c06f72f71c9faa33a8a1746d7496e1fc76a2a8d138a5b7e
-  data.tar.gz: 113f6de79f057dd502327550b44566f52f291f1358817778dc915849c4838b29f9724f1cd4ad5f75b2df153675e058982b26a47ffbc585d008b280fb87744417
+  metadata.gz: f93f49d7f0dbc42c84db54f5b586cc95867cfe9f69769e0b8b766ddfe26c4a6854b53e34a9ff51b4ffc28190a4629e4473893d43406eaf29c251c5dfb346b3c9
+  data.tar.gz: b4c3131c2940c25ac868df96d1aa0bcce525aa26b2ee1a233113628533a51f47d39d49cc40878c14c0368399dbc9f51d7ccaec524f53e56a24d909fd20ac1017

data/CHANGELOG.md

@@ -1,6 +1,25 @@
 Unreleased Changes
 ------------------
 
+3.125.0 (2021-12-21)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Add `:defaults_mode` configuration - that determines how certain default configuration options are resolved in the SDK.
+
+3.124.0 (2021-11-30)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.123.0 (2021-11-23)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
 3.122.1 (2021-11-09)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.122.1
+3.125.0

data/lib/aws-defaults/default_configuration.rb

@@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+require_relative 'defaults_mode_config_resolver'
+
+module Aws
+
+  # A defaults mode determines how certain default configuration options are resolved in the SDK.
+  #
+  # *Note*: For any mode other than `'legacy'` the vended default values might change as best practices may
+  # evolve. As a result, it is encouraged to perform testing when upgrading the SDK if you are using a mode other than
+  # `'legacy'`.  While the `'legacy'` defaults mode is specific to Ruby,
+  # other modes are standardized across all of the AWS SDKs.
+  #
+  #  The defaults mode can be configured:
+  #
+  #  * Directly on a client via `:defaults_mode`
+  #
+  #  * On a configuration profile via the "defaults_mode" profile file property.
+  #
+  #  * Globally via the "AWS_DEFAULTS_MODE" environment variable.
+  #
+  #
+  # @code_generation START - documentation
+  # The following `:default_mode` values are supported:
+  #
+  # * `'standard'` -
+  #   The STANDARD mode provides the latest recommended default values
+  #   that should be safe to run in most scenarios
+  #
+  #   Note that the default values vended from this mode might change as
+  #   best practices may evolve. As a result, it is encouraged to perform
+  #   tests when upgrading the SDK
+  #
+  # * `'in-region'` -
+  #   The IN\_REGION mode builds on the standard mode and includes
+  #   optimization tailored for applications which call AWS services from
+  #   within the same AWS region
+  #
+  #   Note that the default values vended from this mode might change as
+  #   best practices may evolve. As a result, it is encouraged to perform
+  #   tests when upgrading the SDK
+  #
+  # * `'cross-region'` -
+  #   The CROSS\_REGION mode builds on the standard mode and includes
+  #   optimization tailored for applications which call AWS services in a
+  #   different region
+  #
+  #   Note that the default values vended from this mode might change as
+  #   best practices may evolve. As a result, it is encouraged to perform
+  #   tests when upgrading the SDK
+  #
+  # * `'mobile'` -
+  #   The MOBILE mode builds on the standard mode and includes
+  #   optimization tailored for mobile applications
+  #
+  #   Note that the default values vended from this mode might change as
+  #   best practices may evolve. As a result, it is encouraged to perform
+  #   tests when upgrading the SDK
+  #
+  # * `'auto'` -
+  #   The AUTO mode is an experimental mode that builds on the standard
+  #   mode. The SDK will attempt to discover the execution environment to
+  #   determine the appropriate settings automatically.
+  #
+  #   Note that the auto detection is heuristics-based and does not
+  #   guarantee 100% accuracy. STANDARD mode will be used if the execution
+  #   environment cannot be determined. The auto detection might query
+  #   [EC2 Instance Metadata service][1], which might introduce latency.
+  #   Therefore we recommend choosing an explicit defaults\_mode instead
+  #   if startup latency is critical to your application
+  #
+  # * `'legacy'` -
+  #   The LEGACY mode provides default settings that vary per SDK and were
+  #   used prior to establishment of defaults\_mode
+  #
+  # Based on the provided mode, the SDK will vend sensible default values
+  # tailored to the mode for the following settings:
+  #
+  # * `:retry_mode` -
+  #   A retry mode specifies how the SDK attempts retries. See [Retry
+  #   Mode][2]
+  #
+  # * `:sts_regional_endpoints` -
+  #   Specifies how the SDK determines the AWS service endpoint that it
+  #   uses to talk to the AWS Security Token Service (AWS STS). See
+  #   [Setting STS Regional endpoints][3]
+  #
+  # * `:s3_us_east_1_regional_endpoint` -
+  #   Specifies how the SDK determines the AWS service endpoint that it
+  #   uses to talk to the Amazon S3 for the us-east-1 region
+  #
+  # * `:http_open_timeout` -
+  #   The amount of time after making an initial connection attempt on a
+  #   socket, where if the client does not receive a completion of the
+  #   connect handshake, the client gives up and fails the operation
+  #
+  # * `:ssl_timeout` -
+  #   The maximum amount of time that a TLS handshake is allowed to take
+  #   from the time the CLIENT HELLO message is sent to ethe time the
+  #   client and server have fully negotiated ciphers and exchanged keys
+  #
+  #  All options above can be configured by users, and the overridden value will take precedence.
+  #
+  # [1]: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
+  # [2]: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-retry_mode.html
+  # [3]: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-sts_regional_endpoints.html
+  #
+  # @code_generation END - documentation
+  module DefaultsModeConfiguration
+    # @api private
+    # @code_generation START - configuration
+    SDK_DEFAULT_CONFIGURATION = 
+    {
+      "version" => 1,
+      "base" => {
+        "retryMode" => "standard",
+        "stsRegionalEndpoints" => "regional",
+        "s3UsEast1RegionalEndpoints" => "regional",
+        "connectTimeoutInMillis" => 1100,
+        "tlsNegotiationTimeoutInMillis" => 1100
+      },
+      "modes" => {
+        "standard" => {
+          "connectTimeoutInMillis" => {
+            "override" => 3100
+          },
+          "tlsNegotiationTimeoutInMillis" => {
+            "override" => 3100
+          }
+        },
+        "in-region" => {
+        },
+        "cross-region" => {
+          "connectTimeoutInMillis" => {
+            "override" => 3100
+          },
+          "tlsNegotiationTimeoutInMillis" => {
+            "override" => 3100
+          }
+        },
+        "mobile" => {
+          "connectTimeoutInMillis" => {
+            "override" => 30000
+          },
+          "tlsNegotiationTimeoutInMillis" => {
+            "override" => 30000
+          }
+        }
+      }
+    }
+    # @code_generation END - configuration
+  end
+end

data/lib/aws-defaults/defaults_mode_config_resolver.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+module Aws
+  #@api private
+  class DefaultsModeConfigResolver
+
+    @@application_region = nil
+    @@application_region_mutex = Mutex.new
+    @@imds_client = EC2Metadata.new(retries: 0, http_open_timeout: 0.01)
+
+    # mappings from Ruby SDK configuration names to the
+    # sdk defaults option names and (optional) scale modifiers
+    CFG_OPTIONS = {
+      retry_mode: { name: "retryMode" },
+      sts_regional_endpoints: { name: "stsRegionalEndpoints" },
+      s3_us_east_1_regional_endpoint: { name: "s3UsEast1RegionalEndpoints" },
+      http_open_timeout: { name: "connectTimeoutInMillis", scale: 0.001 },
+      http_read_timeout: { name: "timeToFirstByteTimeoutInMillis", scale: 0.001 },
+      ssl_timeout: { name: "tlsNegotiationTimeoutInMillis", scale: 0.001 }
+    }.freeze
+
+    def initialize(sdk_defaults, cfg)
+      @sdk_defaults = sdk_defaults
+      @cfg = cfg
+      @resolved_mode = nil
+      @mutex = Mutex.new
+    end
+
+    # option_name should be the symbolized ruby name to resolve
+    # returns the ruby appropriate value or nil if none are resolved
+    def resolve(option_name)
+      return unless (std_option = CFG_OPTIONS[option_name])
+      mode = resolved_mode.downcase
+
+      return nil if mode == 'legacy'
+
+      value = resolve_for_mode(std_option[:name], mode)
+      value = value * std_option[:scale] if value && std_option[:scale]
+
+      value
+    end
+
+    private
+    def resolved_mode
+      @mutex.synchronize do
+        return @resolved_mode unless @resolved_mode.nil?
+
+        @resolved_mode = @cfg.defaults_mode == 'auto' ? resolve_auto_mode : @cfg.defaults_mode
+      end
+    end
+
+    def resolve_auto_mode
+      return "mobile" if env_mobile?
+
+      region = application_current_region
+
+      if region
+        @cfg.region == region ? "in-region": "cross-region"
+      else
+        # We don't seem to be mobile, and we couldn't determine whether we're running within an AWS region. Fall back to standard.
+        'standard'
+      end
+    end
+
+    def application_current_region
+      resolved_region = @@application_region_mutex.synchronize do
+        return @@application_region unless @@application_region.nil?
+
+        region = nil
+        if ENV['AWS_EXECUTION_ENV']
+          region = ENV['AWS_REGION'] || ENV['AWS_DEFAULT_REGION']
+        end
+
+        if region.nil? && ENV['AWS_EC2_METADATA_DISABLED']&.downcase != "true"
+          begin
+            region = @@imds_client.get('/latest/meta-data/placement/region')
+          rescue
+            # unable to get region, leave it unset
+          end
+        end
+
+        # required so that we cache the unknown/nil result
+        @@application_region = region || :unknown
+      end
+      resolved_region == :unknown ? nil : resolved_region
+    end
+
+    def resolve_for_mode(name, mode)
+      base_value = @sdk_defaults['base'][name]
+      mode_value = @sdk_defaults['modes'].fetch(mode, {})[name]
+
+      if mode_value.nil?
+        return base_value
+      end
+
+      return mode_value['override'] unless mode_value['override'].nil?
+      return base_value + mode_value['add'] unless mode_value['add'].nil?
+      return base_value * mode_value['multiply'] unless mode_value['multiply'].nil?
+      return base_value
+    end
+
+    def env_mobile?
+      false
+    end
+
+  end
+end

data/lib/aws-defaults.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative 'aws-defaults/default_configuration'

data/lib/aws-sdk-core/plugins/credentials_configuration.rb

@@ -64,7 +64,9 @@ locations will be searched for credentials:
 * EC2/ECS IMDS instance profile - When used by default, the timeouts
   are very aggressive. Construct and pass an instance of
   `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
-  enable retries and extended timeouts.
+  enable retries and extended timeouts. Instance profile credential
+  fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
+  to true.
         DOCS
       ) do |config|
         CredentialProviderChain.new(config).resolve

data/lib/aws-sdk-core/plugins/defaults_mode.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  module Plugins
+    # @api private
+    class DefaultsMode < Seahorse::Client::Plugin
+
+      option(:defaults_mode,
+             default: 'legacy',
+             doc_type: String,
+             docstring: <<-DOCS
+See {Aws::DefaultsModeConfiguration} for a list of the 
+accepted modes and the configuration defaults that are included.
+      DOCS
+      ) do |cfg|
+        resolve_defaults_mode(cfg)
+      end
+
+      option(:defaults_mode_config_resolver,
+             doc_type: 'Aws::DefaultsModeConfigResolver') do |cfg|
+        Aws::DefaultsModeConfigResolver.new(
+          Aws::DefaultsModeConfiguration::SDK_DEFAULT_CONFIGURATION, cfg)
+      end
+
+      class << self
+        private
+
+        def resolve_defaults_mode(cfg)
+          value = ENV['AWS_DEFAULTS_MODE']
+          value ||= Aws.shared_config.defaults_mode(
+            profile: cfg.profile
+          )
+          value&.downcase || "legacy"
+        end
+      end
+
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/retry_errors.rb

@@ -163,9 +163,15 @@ a clock skew correction and retry requests with skewed client clocks.
       option(:clock_skew) { Retries::ClockSkew.new }
 
       def self.resolve_retry_mode(cfg)
-        value = ENV['AWS_RETRY_MODE'] ||
-                Aws.shared_config.retry_mode(profile: cfg.profile) ||
-                'legacy'
+        default_mode_value =
+          if cfg.respond_to?(:defaults_mode_config_resolver)
+            cfg.defaults_mode_config_resolver.resolve(:retry_mode)
+          end
+
+          value = ENV['AWS_RETRY_MODE'] ||
+                  Aws.shared_config.retry_mode(profile: cfg.profile) ||
+                  default_mode_value ||
+                  'legacy'
         # Raise if provided value is not one of the retry modes
         if value != 'legacy' && value != 'standard' && value != 'adaptive'
           raise ArgumentError,

data/lib/aws-sdk-core/shared_config.rb

@@ -178,7 +178,8 @@ module Aws
       :sts_regional_endpoints,
       :s3_use_arn_region,
       :s3_us_east_1_regional_endpoint,
-      :s3_disable_multiregion_access_points
+      :s3_disable_multiregion_access_points,
+      :defaults_mode
     )
 
     private

data/lib/aws-sdk-core.rb

@@ -88,6 +88,9 @@ require_relative 'aws-sdk-core/arn'
 require_relative 'aws-sdk-core/arn_parser'
 require_relative 'aws-sdk-core/ec2_metadata'
 
+# defaults
+require_relative 'aws-defaults'
+
 # plugins
 # loaded through building STS or SSO ..
 

data/lib/aws-sdk-sso/client.rb

@@ -27,6 +27,7 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
 require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/http_checksum.rb'
+require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/signature_v4.rb'
 require 'aws-sdk-core/plugins/protocols/rest_json.rb'
 
@@ -73,6 +74,7 @@ module Aws::SSO
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
     add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::HttpChecksum)
+    add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::SignatureV4)
     add_plugin(Aws::Plugins::Protocols::RestJson)
 
@@ -119,7 +121,9 @@ module Aws::SSO
     #     * EC2/ECS IMDS instance profile - When used by default, the timeouts
     #       are very aggressive. Construct and pass an instance of
     #       `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
-    #       enable retries and extended timeouts.
+    #       enable retries and extended timeouts. Instance profile credential
+    #       fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
+    #       to true.
     #
     #   @option options [required, String] :region
     #     The AWS region to connect to.  The configured `:region` is
@@ -173,6 +177,10 @@ module Aws::SSO
     #     Used only in `standard` and adaptive retry modes. Specifies whether to apply
     #     a clock skew correction and retry requests with skewed client clocks.
     #
+    #   @option options [String] :defaults_mode ("legacy")
+    #     See {Aws::DefaultsModeConfiguration} for a list of the
+    #     accepted modes and the configuration defaults that are included.
+    #
     #   @option options [Boolean] :disable_host_prefix_injection (false)
     #     Set to true to disable SDK automatically adding host prefix
     #     to default service endpoint when available.
@@ -295,7 +303,7 @@ module Aws::SSO
     #     seconds to wait when opening a HTTP session before raising a
     #     `Timeout::Error`.
     #
-    #   @option options [Integer] :http_read_timeout (60) The default
+    #   @option options [Float] :http_read_timeout (60) The default
     #     number of seconds to wait for response data.  This value can
     #     safely be set per-request on the session.
     #
@@ -311,6 +319,9 @@ module Aws::SSO
     #     disables this behaviour.  This value can safely be set per
     #     request on the session.
     #
+    #   @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
+    #     in seconds.
+    #
     #   @option options [Boolean] :http_wire_trace (false) When `true`,
     #     HTTP debug output will be sent to the `:logger`.
     #
@@ -530,7 +541,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.122.1'
+      context[:gem_version] = '3.125.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.122.1'
+  GEM_VERSION = '3.125.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -27,6 +27,7 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
 require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/http_checksum.rb'
+require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/signature_v4.rb'
 require 'aws-sdk-core/plugins/protocols/query.rb'
 require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
@@ -74,6 +75,7 @@ module Aws::STS
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
     add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::HttpChecksum)
+    add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::SignatureV4)
     add_plugin(Aws::Plugins::Protocols::Query)
     add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
@@ -121,7 +123,9 @@ module Aws::STS
     #     * EC2/ECS IMDS instance profile - When used by default, the timeouts
     #       are very aggressive. Construct and pass an instance of
     #       `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
-    #       enable retries and extended timeouts.
+    #       enable retries and extended timeouts. Instance profile credential
+    #       fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
+    #       to true.
     #
     #   @option options [required, String] :region
     #     The AWS region to connect to.  The configured `:region` is
@@ -175,6 +179,10 @@ module Aws::STS
     #     Used only in `standard` and adaptive retry modes. Specifies whether to apply
     #     a clock skew correction and retry requests with skewed client clocks.
     #
+    #   @option options [String] :defaults_mode ("legacy")
+    #     See {Aws::DefaultsModeConfiguration} for a list of the
+    #     accepted modes and the configuration defaults that are included.
+    #
     #   @option options [Boolean] :disable_host_prefix_injection (false)
     #     Set to true to disable SDK automatically adding host prefix
     #     to default service endpoint when available.
@@ -302,7 +310,7 @@ module Aws::STS
     #     seconds to wait when opening a HTTP session before raising a
     #     `Timeout::Error`.
     #
-    #   @option options [Integer] :http_read_timeout (60) The default
+    #   @option options [Float] :http_read_timeout (60) The default
     #     number of seconds to wait for response data.  This value can
     #     safely be set per-request on the session.
     #
@@ -318,6 +326,9 @@ module Aws::STS
     #     disables this behaviour.  This value can safely be set per
     #     request on the session.
     #
+    #   @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
+    #     in seconds.
+    #
     #   @option options [Boolean] :http_wire_trace (false) When `true`,
     #     HTTP debug output will be sent to the `:logger`.
     #
@@ -350,15 +361,15 @@ module Aws::STS
     # `AssumeRole` within your account or for cross-account access. For a
     # comparison of `AssumeRole` with other API operations that produce
     # temporary credentials, see [Requesting Temporary Security
-    # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
-    # User Guide*.
+    # Credentials][1] and [Comparing the Amazon Web Services STS API
+    # operations][2] in the *IAM User Guide*.
     #
     # **Permissions**
     #
     # The temporary security credentials created by `AssumeRole` can be used
     # to make API calls to any Amazon Web Services service with the
-    # following exception: You cannot call the STS `GetFederationToken` or
-    # `GetSessionToken` API operations.
+    # following exception: You cannot call the Amazon Web Services STS
+    # `GetFederationToken` or `GetSessionToken` API operations.
     #
     # (Optional) You can pass inline or managed [session policies][3] to
     # this operation. You can pass a single JSON policy document to use as
@@ -375,28 +386,37 @@ module Aws::STS
     # assumed. For more information, see [Session Policies][3] in the *IAM
     # User Guide*.
     #
-    # To assume a role from a different account, your account must be
-    # trusted by the role. The trust relationship is defined in the role's
-    # trust policy when the role is created. That trust policy states which
-    # accounts are allowed to delegate that access to users in the account.
+    # When you create a role, you create two policies: A role trust policy
+    # that specifies *who* can assume the role and a permissions policy that
+    # specifies *what* can be done with the role. You specify the trusted
+    # principal who is allowed to assume the role in the role trust policy.
+    #
+    # To assume a role from a different account, your Amazon Web Services
+    # account must be trusted by the role. The trust relationship is defined
+    # in the role's trust policy when the role is created. That trust
+    # policy states which accounts are allowed to delegate that access to
+    # users in the account.
     #
     # A user who wants to access a role in a different account must also
     # have permissions that are delegated from the user account
     # administrator. The administrator must attach a policy that allows the
     # user to call `AssumeRole` for the ARN of the role in the other
-    # account. If the user is in the same account as the role, then you can
-    # do either of the following:
+    # account.
     #
-    # * Attach a policy to the user (identical to the previous user in a
-    #   different account).
+    # To allow a user to assume a role in the same account, you can do
+    # either of the following:
+    #
+    # * Attach a policy to the user that allows the user to call
+    #   `AssumeRole` (as long as the role's trust policy trusts the
+    #   account).
     #
     # * Add the user as a principal directly in the role's trust policy.
     #
-    # In this case, the trust policy acts as an IAM resource-based policy.
-    # Users in the same account as the role do not need explicit permission
-    # to assume the role. For more information about trust policies and
-    # resource-based policies, see [IAM Policies][4] in the *IAM User
-    # Guide*.
+    # You can do either because the role’s trust policy acts as an IAM
+    # resource-based policy. When a resource-based policy grants access to a
+    # principal in the same account, no additional identity-based policy is
+    # required. For more information about trust policies and resource-based
+    # policies, see [IAM Policies][4] in the *IAM User Guide*.
     #
     # **Tags**
     #
@@ -538,15 +558,25 @@ module Aws::STS
     #
     # @option params [Integer] :duration_seconds
     #   The duration, in seconds, of the role session. The value specified can
-    #   can range from 900 seconds (15 minutes) up to the maximum session
-    #   duration that is set for the role. The maximum session duration
-    #   setting can have a value from 1 hour to 12 hours. If you specify a
-    #   value higher than this setting or the administrator setting (whichever
-    #   is lower), the operation fails. For example, if you specify a session
-    #   duration of 12 hours, but your administrator set the maximum session
-    #   duration to 6 hours, your operation fails. To learn how to view the
-    #   maximum value for your role, see [View the Maximum Session Duration
-    #   Setting for a Role][1] in the *IAM User Guide*.
+    #   range from 900 seconds (15 minutes) up to the maximum session duration
+    #   set for the role. The maximum session duration setting can have a
+    #   value from 1 hour to 12 hours. If you specify a value higher than this
+    #   setting or the administrator setting (whichever is lower), the
+    #   operation fails. For example, if you specify a session duration of 12
+    #   hours, but your administrator set the maximum session duration to 6
+    #   hours, your operation fails.
+    #
+    #   Role chaining limits your Amazon Web Services CLI or Amazon Web
+    #   Services API role session to a maximum of one hour. When you use the
+    #   `AssumeRole` API operation to assume a role, you can specify the
+    #   duration of your role session with the `DurationSeconds` parameter.
+    #   You can specify a parameter value of up to 43200 seconds (12 hours),
+    #   depending on the maximum session duration setting for your role.
+    #   However, if you assume a role using role chaining and provide a
+    #   `DurationSeconds` parameter value greater than one hour, the operation
+    #   fails. To learn how to view the maximum value for your role, see [View
+    #   the Maximum Session Duration Setting for a Role][1] in the *IAM User
+    #   Guide*.
     #
     #   By default, the value is set to `3600` seconds.
     #
@@ -555,8 +585,8 @@ module Aws::STS
     #   The request to the federation endpoint for a console sign-in token
     #   takes a `SessionDuration` parameter that specifies the maximum length
     #   of the console session. For more information, see [Creating a URL that
-    #   Enables Federated Users to Access the Management Console][2] in the
-    #   *IAM User Guide*.
+    #   Enables Federated Users to Access the Amazon Web Services Management
+    #   Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -568,8 +598,8 @@ module Aws::STS
     # @option params [Array<Types::Tag>] :tags
     #   A list of session tags that you want to pass. Each session tag
     #   consists of a key name and an associated value. For more information
-    #   about session tags, see [Tagging STS Sessions][1] in the *IAM User
-    #   Guide*.
+    #   about session tags, see [Tagging Amazon Web Services STS Sessions][1]
+    #   in the *IAM User Guide*.
     #
     #   This parameter is optional. You can pass up to 50 session tags. The
     #   plaintext session tag keys can’t exceed 128 characters, and the values
@@ -798,8 +828,8 @@ module Aws::STS
     # user-specific credentials or configuration. For a comparison of
     # `AssumeRoleWithSAML` with the other API operations that produce
     # temporary credentials, see [Requesting Temporary Security
-    # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
-    # User Guide*.
+    # Credentials][1] and [Comparing the Amazon Web Services STS API
+    # operations][2] in the *IAM User Guide*.
     #
     # The temporary security credentials returned by this operation consist
     # of an access key ID, a secret access key, and a security token.
@@ -1051,8 +1081,8 @@ module Aws::STS
     #   The request to the federation endpoint for a console sign-in token
     #   takes a `SessionDuration` parameter that specifies the maximum length
     #   of the console session. For more information, see [Creating a URL that
-    #   Enables Federated Users to Access the Management Console][2] in the
-    #   *IAM User Guide*.
+    #   Enables Federated Users to Access the Amazon Web Services Management
+    #   Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -1172,8 +1202,8 @@ module Aws::STS
     # a token from the web identity provider. For a comparison of
     # `AssumeRoleWithWebIdentity` with the other API operations that produce
     # temporary credentials, see [Requesting Temporary Security
-    # Credentials][5] and [Comparing the STS API operations][6] in the *IAM
-    # User Guide*.
+    # Credentials][5] and [Comparing the Amazon Web Services STS API
+    # operations][6] in the *IAM User Guide*.
     #
     # The temporary security credentials returned by this API consist of an
     # access key ID, a secret access key, and a security token. Applications
@@ -1433,8 +1463,8 @@ module Aws::STS
     #   The request to the federation endpoint for a console sign-in token
     #   takes a `SessionDuration` parameter that specifies the maximum length
     #   of the console session. For more information, see [Creating a URL that
-    #   Enables Federated Users to Access the Management Console][2] in the
-    #   *IAM User Guide*.
+    #   Enables Federated Users to Access the Amazon Web Services Management
+    #   Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -1540,17 +1570,17 @@ module Aws::STS
     #  </note>
     #
     # The message is encoded because the details of the authorization status
-    # can constitute privileged information that the user who requested the
+    # can contain privileged information that the user who requested the
     # operation should not see. To decode an authorization status message, a
-    # user must be granted permissions via an IAM policy to request the
-    # `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
+    # user must be granted permissions through an IAM [policy][1] to request
+    # the `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
     # action.
     #
     # The decoded message includes the following type of information:
     #
     # * Whether the request was denied due to an explicit deny or due to the
     #   absence of an explicit allow. For more information, see [Determining
-    #   Whether a Request is Allowed or Denied][1] in the *IAM User Guide*.
+    #   Whether a Request is Allowed or Denied][2] in the *IAM User Guide*.
     #
     # * The principal who made the request.
     #
@@ -1562,7 +1592,8 @@ module Aws::STS
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
     #
     # @option params [required, String] :encoded_message
     #   The encoded message that was returned with the response.
@@ -1757,8 +1788,8 @@ module Aws::STS
     # can be safely stored, usually in a server-based application. For a
     # comparison of `GetFederationToken` with the other API operations that
     # produce temporary credentials, see [Requesting Temporary Security
-    # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
-    # User Guide*.
+    # Credentials][1] and [Comparing the Amazon Web Services STS API
+    # operations][2] in the *IAM User Guide*.
     #
     # <note markdown="1"> You can create a mobile-based or browser-based app that can
     # authenticate users using a web identity provider like Login with
@@ -1782,7 +1813,7 @@ module Aws::STS
     # The temporary credentials are valid for the specified duration, from
     # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
     # hours). The default session duration is 43,200 seconds (12 hours).
-    # Temporary credentials that are obtained by using Amazon Web Services
+    # Temporary credentials obtained by using the Amazon Web Services
     # account root user credentials have a maximum duration of 3,600 seconds
     # (1 hour).
     #
@@ -1837,65 +1868,6 @@ module Aws::STS
     #
     #  </note>
     #
-    # You can also call `GetFederationToken` using the security credentials
-    # of an Amazon Web Services account root user, but we do not recommend
-    # it. Instead, we recommend that you create an IAM user for the purpose
-    # of the proxy application. Then attach a policy to the IAM user that
-    # limits federated users to only the actions and resources that they
-    # need to access. For more information, see [IAM Best Practices][5] in
-    # the *IAM User Guide*.
-    #
-    # **Session duration**
-    #
-    # The temporary credentials are valid for the specified duration, from
-    # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
-    # hours). The default session duration is 43,200 seconds (12 hours).
-    # Temporary credentials that are obtained by using Amazon Web Services
-    # account root user credentials have a maximum duration of 3,600 seconds
-    # (1 hour).
-    #
-    # **Permissions**
-    #
-    # You can use the temporary credentials created by `GetFederationToken`
-    # in any Amazon Web Services service except the following:
-    #
-    # * You cannot call any IAM operations using the CLI or the Amazon Web
-    #   Services API.
-    #
-    # * You cannot call any STS operations except `GetCallerIdentity`.
-    #
-    # You must pass an inline or managed [session policy][6] to this
-    # operation. You can pass a single JSON policy document to use as an
-    # inline session policy. You can also specify up to 10 managed policies
-    # to use as managed session policies. The plain text that you use for
-    # both inline and managed session policies can't exceed 2,048
-    # characters.
-    #
-    # Though the session policy parameters are optional, if you do not pass
-    # a policy, then the resulting federated user session has no
-    # permissions. When you pass session policies, the session permissions
-    # are the intersection of the IAM user policies and the session policies
-    # that you pass. This gives you a way to further restrict the
-    # permissions for a federated user. You cannot use session policies to
-    # grant more permissions than those that are defined in the permissions
-    # policy of the IAM user. For more information, see [Session
-    # Policies][6] in the *IAM User Guide*. For information about using
-    # `GetFederationToken` to create temporary security credentials, see
-    # [GetFederationToken—Federation Through a Custom Identity Broker][7].
-    #
-    # You can use the credentials to access a resource that has a
-    # resource-based policy. If that policy specifically references the
-    # federated user session in the `Principal` element of the policy, the
-    # session has the permissions allowed by the policy. These permissions
-    # are granted in addition to the permissions granted by the session
-    # policies.
-    #
-    # **Tags**
-    #
-    # (Optional) You can pass tag key-value pairs to your session. These are
-    # called session tags. For more information about session tags, see
-    # [Passing Session Tags in STS][8] in the *IAM User Guide*.
-    #
     # An administrator must grant you the permissions necessary to pass
     # session tags. The administrator can also create granular permissions
     # to allow you to pass only specific session tags. For more information,
@@ -2164,8 +2136,8 @@ module Aws::STS
     # correct MFA code, then the API returns an access denied error. For a
     # comparison of `GetSessionToken` with the other API operations that
     # produce temporary credentials, see [Requesting Temporary Security
-    # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
-    # User Guide*.
+    # Credentials][1] and [Comparing the Amazon Web Services STS API
+    # operations][2] in the *IAM User Guide*.
     #
     # **Session Duration**
     #
@@ -2233,8 +2205,8 @@ module Aws::STS
     #   The value is either the serial number for a hardware device (such as
     #   `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual device
     #   (such as `arn:aws:iam::123456789012:mfa/user`). You can find the
-    #   device for an IAM user by going to the Management Console and viewing
-    #   the user's security credentials.
+    #   device for an IAM user by going to the Amazon Web Services Management
+    #   Console and viewing the user's security credentials.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -2312,7 +2284,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.122.1'
+      context[:gem_version] = '3.125.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb

@@ -24,7 +24,11 @@ regions to resolve to the STS global endpoint.
           env_mode = nil if env_mode == ''
           cfg_mode = Aws.shared_config.sts_regional_endpoints(
             profile: cfg.profile)
-          env_mode || cfg_mode || 'regional'
+          default_mode_value =
+            if cfg.respond_to?(:defaults_mode_config_resolver)
+              cfg.defaults_mode_config_resolver.resolve(:sts_regional_endpoints)
+            end
+          env_mode || cfg_mode || default_mode_value || 'regional'
         end
 
       end

data/lib/aws-sdk-sts/types.rb

@@ -132,16 +132,25 @@ module Aws::STS
     #
     # @!attribute [rw] duration_seconds
     #   The duration, in seconds, of the role session. The value specified
-    #   can can range from 900 seconds (15 minutes) up to the maximum
-    #   session duration that is set for the role. The maximum session
-    #   duration setting can have a value from 1 hour to 12 hours. If you
-    #   specify a value higher than this setting or the administrator
-    #   setting (whichever is lower), the operation fails. For example, if
-    #   you specify a session duration of 12 hours, but your administrator
-    #   set the maximum session duration to 6 hours, your operation fails.
-    #   To learn how to view the maximum value for your role, see [View the
-    #   Maximum Session Duration Setting for a Role][1] in the *IAM User
-    #   Guide*.
+    #   can range from 900 seconds (15 minutes) up to the maximum session
+    #   duration set for the role. The maximum session duration setting can
+    #   have a value from 1 hour to 12 hours. If you specify a value higher
+    #   than this setting or the administrator setting (whichever is lower),
+    #   the operation fails. For example, if you specify a session duration
+    #   of 12 hours, but your administrator set the maximum session duration
+    #   to 6 hours, your operation fails.
+    #
+    #   Role chaining limits your Amazon Web Services CLI or Amazon Web
+    #   Services API role session to a maximum of one hour. When you use the
+    #   `AssumeRole` API operation to assume a role, you can specify the
+    #   duration of your role session with the `DurationSeconds` parameter.
+    #   You can specify a parameter value of up to 43200 seconds (12 hours),
+    #   depending on the maximum session duration setting for your role.
+    #   However, if you assume a role using role chaining and provide a
+    #   `DurationSeconds` parameter value greater than one hour, the
+    #   operation fails. To learn how to view the maximum value for your
+    #   role, see [View the Maximum Session Duration Setting for a Role][1]
+    #   in the *IAM User Guide*.
     #
     #   By default, the value is set to `3600` seconds.
     #
@@ -150,8 +159,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -164,8 +173,8 @@ module Aws::STS
     # @!attribute [rw] tags
     #   A list of session tags that you want to pass. Each session tag
     #   consists of a key name and an associated value. For more information
-    #   about session tags, see [Tagging STS Sessions][1] in the *IAM User
-    #   Guide*.
+    #   about session tags, see [Tagging Amazon Web Services STS
+    #   Sessions][1] in the *IAM User Guide*.
     #
     #   This parameter is optional. You can pass up to 50 session tags. The
     #   plaintext session tag keys can’t exceed 128 characters, and the
@@ -516,8 +525,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -802,8 +811,8 @@ module Aws::STS
     #   credentials. The request to the federation endpoint for a console
     #   sign-in token takes a `SessionDuration` parameter that specifies the
     #   maximum length of the console session. For more information, see
-    #   [Creating a URL that Enables Federated Users to Access the
-    #   Management Console][2] in the *IAM User Guide*.
+    #   [Creating a URL that Enables Federated Users to Access the Amazon
+    #   Web Services Management Console][2] in the *IAM User Guide*.
     #
     #    </note>
     #
@@ -1012,7 +1021,7 @@ module Aws::STS
     # returned in response to an Amazon Web Services request.
     #
     # @!attribute [rw] decoded_message
-    #   An XML document that contains the decoded message.
+    #   The API returns a response with the decoded message.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageResponse AWS API Documentation
@@ -1396,8 +1405,8 @@ module Aws::STS
     #   The value is either the serial number for a hardware device (such as
     #   `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual
     #   device (such as `arn:aws:iam::123456789012:mfa/user`). You can find
-    #   the device for an IAM user by going to the Management Console and
-    #   viewing the user's security credentials.
+    #   the device for an IAM user by going to the Amazon Web Services
+    #   Management Console and viewing the user's security credentials.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -1546,7 +1555,7 @@ module Aws::STS
     #
     #
     # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
-    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1612,7 +1621,8 @@ module Aws::STS
     # You can pass custom key-value pair attributes when you assume a role
     # or federate a user. These are called session tags. You can then use
     # the session tags to control access to resources. For more information,
-    # see [Tagging STS Sessions][1] in the *IAM User Guide*.
+    # see [Tagging Amazon Web Services STS Sessions][1] in the *IAM User
+    # Guide*.
     #
     #
     #

data/lib/aws-sdk-sts.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.122.1'
+  GEM_VERSION = '3.125.0'
 
 end

data/lib/seahorse/client/net_http/connection_pool.rb

@@ -34,6 +34,7 @@ module Seahorse
           ssl_ca_bundle: nil,
           ssl_ca_directory: nil,
           ssl_ca_store: nil,
+          ssl_timeout: nil
         }
 
         # @api private
@@ -187,6 +188,9 @@ module Seahorse
           #   disables this behaviour.  This value can safely be set per
           #   request on the session yielded by {#session_for}.
           #
+          # @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
+          #   in seconds.
+          #
           # @option options [Boolean] :http_wire_trace (false) When `true`,
           #   HTTP debug output will be sent to the `:logger`.
           #
@@ -248,6 +252,7 @@ module Seahorse
               :ssl_ca_bundle => options[:ssl_ca_bundle],
               :ssl_ca_directory => options[:ssl_ca_directory],
               :ssl_ca_store => options[:ssl_ca_store],
+              :ssl_timeout => options[:ssl_timeout]
             }
           end
 
@@ -285,6 +290,8 @@ module Seahorse
 
           if endpoint.scheme == 'https'
             http.use_ssl = true
+            http.ssl_timeout = ssl_timeout
+
             if ssl_verify_peer?
               http.verify_mode = OpenSSL::SSL::VERIFY_PEER
               http.ca_file = ssl_ca_bundle if ssl_ca_bundle

data/lib/seahorse/client/plugins/net_http.rb

@@ -9,9 +9,13 @@ module Seahorse
 
         option(:http_proxy, default: nil, doc_type: String, docstring: '')
 
-        option(:http_open_timeout, default: 15, doc_type: Integer, docstring: '')
+        option(:http_open_timeout, default: 15, doc_type: Integer, docstring: '') do |cfg|
+          resolve_http_open_timeout(cfg)
+        end
 
-        option(:http_read_timeout, default: 60, doc_type: Integer, docstring: '')
+        option(:http_read_timeout, default: 60, doc_type: Integer, docstring: '') do |cfg|
+          resolve_http_read_timeout(cfg)
+        end
 
         option(:http_idle_timeout, default: 5, doc_type: Integer, docstring: '')
 
@@ -30,10 +34,37 @@ module Seahorse
 
         option(:ssl_ca_store, default: nil, doc_type: String, docstring: '')
 
+        option(:ssl_timeout, default: nil, doc_type: Float, docstring: '') do |cfg|
+          resolve_ssl_timeout(cfg)
+        end
+
         option(:logger) # for backwards compat
 
         handler(Client::NetHttp::Handler, step: :send)
 
+        def self.resolve_http_open_timeout(cfg)
+          default_mode_value =
+            if cfg.respond_to?(:defaults_mode_config_resolver)
+              cfg.defaults_mode_config_resolver.resolve(:http_open_timeout)
+            end
+          default_mode_value || 15
+        end
+
+        def self.resolve_http_read_timeout(cfg)
+          default_mode_value =
+            if cfg.respond_to?(:defaults_mode_config_resolver)
+              cfg.defaults_mode_config_resolver.resolve(:http_read_timeout)
+            end
+          default_mode_value || 60
+        end
+
+        def self.resolve_ssl_timeout(cfg)
+          default_mode_value =
+            if cfg.respond_to?(:defaults_mode_config_resolver)
+              cfg.defaults_mode_config_resolver.resolve(:ssl_timeout)
+            end
+          default_mode_value || nil
+        end
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.122.1
+  version: 3.125.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-09 00:00:00.000000000 Z
+date: 2021-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath
@@ -89,6 +89,9 @@ files:
 - LICENSE.txt
 - VERSION
 - ca-bundle.crt
+- lib/aws-defaults.rb
+- lib/aws-defaults/default_configuration.rb
+- lib/aws-defaults/defaults_mode_config_resolver.rb
 - lib/aws-sdk-core.rb
 - lib/aws-sdk-core/arn.rb
 - lib/aws-sdk-core/arn_parser.rb
@@ -139,6 +142,7 @@ files:
 - lib/aws-sdk-core/plugins/client_metrics_plugin.rb
 - lib/aws-sdk-core/plugins/client_metrics_send_plugin.rb
 - lib/aws-sdk-core/plugins/credentials_configuration.rb
+- lib/aws-sdk-core/plugins/defaults_mode.rb
 - lib/aws-sdk-core/plugins/endpoint_discovery.rb
 - lib/aws-sdk-core/plugins/endpoint_pattern.rb
 - lib/aws-sdk-core/plugins/event_stream_configuration.rb