aws-sdk-core 3.126.1 → 3.128.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 46193e52f3ea24b17d0d2ff28e7abf1ef462586db550c10f0540810da7a45fed
-  data.tar.gz: 3dc8f9629d7d7057632bd639c097747792dd40d6c6c81ca5f91e4366ca9dd6bb
+  metadata.gz: 1cf93a52549a583ebf666ac76c7c9243e3068ff7c3e2bd18051ed14d6b2dda36
+  data.tar.gz: c5dd331a95e8437164d33537b0e415de2d74dacc596f2e7675124bd1afded021
 SHA512:
-  metadata.gz: 6f72443886e4e7077c1dc7d1f816b1774ceeae361f13e6f13a5ce532bc77a669e297e5fb3f3582eb772563e315dd0afcef9c5d9acd45d672fea79706537b8868
-  data.tar.gz: 3ed264c5a2ed5cb2dcd3c050224785e62618ded48137d8dd217a75107865f58679a26e5ded1e8498971e8de862e8f91e684eb1a5c64fa9e3db3f53d186d8b351
+  metadata.gz: 4b35894b76ba7531148db72002bbad246a2617a8ec412426520002ef10f82e91b7b89d0cb99cea33b2123a9a7641c98cf4d97769cbccd8c6e6f7bbf5ae4fbb98
+  data.tar.gz: e0818ff963cf8f516a741348d625099c4f3a1d70ad5f30a8722a152f77e251d08a5411eae07a5840b718d636d0eb486a2ea59c6f968d0550bf4e230564baa763

data/CHANGELOG.md

@@ -1,6 +1,26 @@
 Unreleased Changes
 ------------------
 
+3.128.0 (2022-03-04)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.127.0 (2022-02-24)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support `HttpChecksum` trait for requests and responses.
+
+3.126.2 (2022-02-16)
+------------------
+
+* Issue - Add a before_refresh callback to AssumeRoleCredentials (#2529). 
+* Issue - Raise a `NoSuchProfileError` when config and credentials files don't exist.
+
 3.126.1 (2022-02-14)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.126.1
+3.128.0

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -17,6 +17,11 @@ module Aws
   #
   # If you omit `:client` option, a new {STS::Client} object will be
   # constructed.
+  #
+  # The AssumeRoleCredentials also provides a `before_refresh` callback
+  # that can be used to help manage refreshing tokens.
+  # `before_refresh` is called when AWS credentials are required and need
+  # to be refreshed and it is called with the AssumeRoleCredentials object.
   class AssumeRoleCredentials
 
     include CredentialProvider
@@ -28,6 +33,16 @@ module Aws
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed.  Useful for updating tokens.
+    #   `before_refresh` is called when AWS credentials are
+    #   required and need to be refreshed. Tokens can be refreshed using
+    #   the following example:
+    #
+    #      before_refresh = Proc.new do |assume_role_credentials| do
+    #        assume_role_credentials.assume_role_params['token_code'] = update_token
+    #      end
+    #
     def initialize(options = {})
       client_opts = {}
       @assume_role_params = {}
@@ -45,6 +60,9 @@ module Aws
     # @return [STS::Client]
     attr_reader :client
 
+    # @return [Hash]
+    attr_reader :assume_role_params
+
     private
 
     def refresh

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -39,6 +39,11 @@ module Aws
     #   encoded UUID is generated as the session name
     #
     # @option options [STS::Client] :client
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
       client_opts = {}
       @assume_role_web_identity_params = {}

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -43,6 +43,10 @@ module Aws
     # @option options [IO] :http_debug_output (nil) HTTP wire
     #   traces are sent to this object.  You can specify something
     #   like $stdout.
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize options = {}
       @retries = options[:retries] || 5
       @ip_address = options[:ip_address] || '169.254.170.2'

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -63,6 +63,10 @@ module Aws
     # @option options [Integer] :token_ttl Time-to-Live in seconds for EC2
     #   Metadata Token used for fetching Metadata Profile Credentials, defaults
     #   to 21600 seconds
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
       @retries = options[:retries] || 1
       endpoint_mode = resolve_endpoint_mode(options)

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -0,0 +1,340 @@
+# frozen_string_literal: true
+
+module Aws
+  module Plugins
+    # @api private
+    class ChecksumAlgorithm < Seahorse::Client::Plugin
+      CHUNK_SIZE = 1 * 1024 * 1024 # one MB
+
+      # determine the set of supported client side checksum algorithms
+      # CRC32c requires aws-crt (optional sdk dependency) for support
+      CLIENT_ALGORITHMS = begin
+        supported = %w[SHA256 SHA1 CRC32]
+        begin
+          require 'aws-crt'
+          supported << 'CRC32C'
+        rescue LoadError
+        end
+        supported
+      end.freeze
+
+      # priority order of checksum algorithms to validate responses against
+      # Remove any algorithms not supported by client (ie, depending on CRT availability)
+      CHECKSUM_ALGORITHM_PRIORITIES = %w[CRC32C SHA1 CRC32 SHA256] & CLIENT_ALGORITHMS
+
+      # byte size of checksums, used in computing the trailer length
+      CHECKSUM_SIZE = {
+        'CRC32' => 16,
+        'CRC32C' => 16,
+        'SHA1' => 36,
+        'SHA256' => 52
+      }
+
+      # Interface for computing digests on request/response bodies
+      # which may be files, strings or IO like objects
+      # Applies only to digest functions that produce 32 bit integer checksums
+      # (eg CRC32)
+      class Digest32
+
+        attr_reader :value
+
+        # @param [Object] digest_fn
+        def initialize(digest_fn)
+          @digest_fn = digest_fn
+          @value = 0
+        end
+
+        def update(chunk)
+          @value = @digest_fn.call(chunk, @value)
+        end
+
+        def base64digest
+          Base64.encode64([@value].pack('N')).chomp
+        end
+      end
+
+      def add_handlers(handlers, _config)
+        handlers.add(OptionHandler, step: :initialize)
+        # priority set low to ensure checksum is computed AFTER the request is
+        # built but before it is signed
+        handlers.add(ChecksumHandler, priority: 15, step: :build)
+      end
+
+      private
+
+      def self.request_algorithm_selection(context)
+        return unless context.operation.http_checksum
+
+        input_member = context.operation.http_checksum['requestAlgorithmMember']
+        context.params[input_member.to_sym]&.upcase if input_member
+      end
+
+      def self.request_validation_mode(context)
+        return unless context.operation.http_checksum
+
+        input_member = context.operation.http_checksum['requestValidationModeMember']
+        context.params[input_member.to_sym] if input_member
+      end
+
+      def self.operation_response_algorithms(context)
+        return unless context.operation.http_checksum
+
+        context.operation.http_checksum['responseAlgorithms']
+      end
+
+
+      # @api private
+      class OptionHandler < Seahorse::Client::Handler
+        def call(context)
+          context[:http_checksum] ||= {}
+
+          # validate request configuration
+          if (request_input = ChecksumAlgorithm.request_algorithm_selection(context))
+            unless CLIENT_ALGORITHMS.include? request_input
+              if (request_input == 'CRC32C')
+                raise ArgumentError, "CRC32C requires crt support - install the aws-crt gem for support."
+              else
+                raise ArgumentError, "#{request_input} is not a supported checksum algorithm."
+              end
+            end
+          end
+
+        # validate response configuration
+          if (ChecksumAlgorithm.request_validation_mode(context))
+            # Compute an ordered list as the union between priority supported and the
+            # operation's modeled response algorithms.
+            validation_list = CHECKSUM_ALGORITHM_PRIORITIES &
+              ChecksumAlgorithm.operation_response_algorithms(context)
+            context[:http_checksum][:validation_list] = validation_list
+          end
+
+          @handler.call(context)
+        end
+      end
+
+      # @api private
+      class ChecksumHandler < Seahorse::Client::Handler
+
+        def call(context)
+          if should_calculate_request_checksum?(context)
+            request_algorithm_input = ChecksumAlgorithm.request_algorithm_selection(context)
+            context[:checksum_algorithms] = request_algorithm_input
+
+            request_checksum_property = {
+              'algorithm' => request_algorithm_input,
+              'in' => checksum_request_in(context),
+              'name' => "x-amz-checksum-#{request_algorithm_input.downcase}"
+            }
+
+            calculate_request_checksum(context, request_checksum_property)
+          end
+
+          if should_verify_response_checksum?(context)
+            add_verify_response_checksum_handlers(context)
+          end
+
+          @handler.call(context)
+        end
+
+        private
+
+        def should_calculate_request_checksum?(context)
+          context.operation.http_checksum &&
+            ChecksumAlgorithm.request_algorithm_selection(context)
+        end
+
+        def should_verify_response_checksum?(context)
+          context[:http_checksum][:validation_list] && !context[:http_checksum][:validation_list].empty?
+        end
+
+        def calculate_request_checksum(context, checksum_properties)
+          case checksum_properties['in']
+          when 'header'
+            header_name = checksum_properties['name']
+            body = context.http_request.body_contents
+            if body
+              context.http_request.headers[header_name] ||=
+                ChecksumAlgorithm.calculate_checksum(checksum_properties['algorithm'], body)
+            end
+          when 'trailer'
+            apply_request_trailer_checksum(context, checksum_properties)
+          end
+        end
+
+        def apply_request_trailer_checksum(context, checksum_properties)
+          location_name = checksum_properties['name']
+
+          # set required headers
+          headers = context.http_request.headers
+          headers['Content-Encoding'] = 'aws-chunked'
+          headers['X-Amz-Content-Sha256'] = 'STREAMING-UNSIGNED-PAYLOAD-TRAILER'
+          headers['X-Amz-Trailer'] = location_name
+
+          # We currently always compute the size in the modified body wrapper - allowing us
+          # to set the Content-Length header (set by content_length plugin).
+          # This means we cannot use Transfer-Encoding=chunked
+
+          if !context.http_request.body.respond_to?(:size)
+            raise Aws::Errors::ChecksumError, 'Could not determine length of the body'
+          end
+          headers['X-Amz-Decoded-Content-Length'] = context.http_request.body.size
+
+          context.http_request.body = AwsChunkedTrailerDigestIO.new(
+            context.http_request.body,
+            checksum_properties['algorithm'],
+            location_name
+          )
+        end
+
+        # Add events to the http_response to verify the checksum as its read
+        # This prevents the body from being read multiple times
+        # verification is done only once a successful response has completed
+        def add_verify_response_checksum_handlers(context)
+          http_response = context.http_response
+          checksum_context = { }
+          http_response.on_headers do |_status, headers|
+            header_name, algorithm = response_header_to_verify(headers, context[:http_checksum][:validation_list])
+            if header_name
+              expected = headers[header_name]
+
+              unless context[:http_checksum][:skip_on_suffix] && /-[\d]+$/.match(expected)
+                checksum_context[:algorithm] = algorithm
+                checksum_context[:header_name] = header_name
+                checksum_context[:digest] = ChecksumAlgorithm.digest_for_algorithm(algorithm)
+                checksum_context[:expected] = expected
+              end
+            end
+          end
+
+          http_response.on_data do |chunk|
+            checksum_context[:digest].update(chunk) if checksum_context[:digest]
+          end
+
+          http_response.on_success do
+            if checksum_context[:digest] &&
+              (computed = checksum_context[:digest].base64digest)
+
+              if computed != checksum_context[:expected]
+                raise Aws::Errors::ChecksumError,
+                      "Checksum validation failed on #{checksum_context[:header_name]} "\
+                      "computed: #{computed}, expected: #{checksum_context[:expected]}"
+              end
+
+              context[:http_checksum][:validated] = checksum_context[:algorithm]
+            end
+          end
+        end
+
+        # returns nil if no headers to verify
+        def response_header_to_verify(headers, validation_list)
+          validation_list.each do |algorithm|
+            header_name = "x-amz-checksum-#{algorithm}"
+            return [header_name, algorithm] if headers[header_name]
+          end
+          nil
+        end
+
+        # determine where (header vs trailer) a request checksum should be added
+        def checksum_request_in(context)
+          if context.operation['authtype'].eql?('v4-unsigned-body')
+            'trailer'
+          else
+            'header'
+          end
+        end
+
+      end
+
+      def self.calculate_checksum(algorithm, body)
+        digest = ChecksumAlgorithm.digest_for_algorithm(algorithm)
+        if body.respond_to?(:read)
+          ChecksumAlgorithm.update_in_chunks(digest, body)
+        else
+          digest.update(body)
+        end
+        digest.base64digest
+      end
+
+      def self.digest_for_algorithm(algorithm)
+        case algorithm
+        when 'CRC32'
+          Digest32.new(Zlib.method(:crc32))
+        when 'CRC32C'
+          # this will only be used if input algorithm is CRC32C AND client supports it (crt available)
+          Digest32.new(Aws::Crt::Checksums.method(:crc32c))
+        when 'SHA1'
+          Digest::SHA1.new
+        when 'SHA256'
+          Digest::SHA256.new
+        end
+      end
+
+      # The trailer size (in bytes) is the overhead + the trailer name +
+      # the length of the base64 encoded checksum
+      def self.trailer_length(algorithm, location_name)
+        CHECKSUM_SIZE[algorithm] + location_name.size
+      end
+
+      def self.update_in_chunks(digest, io)
+        loop do
+          chunk = io.read(CHUNK_SIZE)
+          break unless chunk
+          digest.update(chunk)
+        end
+        io.rewind
+      end
+
+      # Wrapper for request body that implements application-layer
+      # chunking with Digest computed on chunks + added as a trailer
+      class AwsChunkedTrailerDigestIO
+        CHUNK_SIZE = 16384
+
+        def initialize(io, algorithm, location_name)
+          @io = io
+          @location_name = location_name
+          @algorithm = algorithm
+          @digest = ChecksumAlgorithm.digest_for_algorithm(algorithm)
+          @trailer_io = nil
+        end
+
+        # the size of the application layer aws-chunked + trailer body
+        def size
+          # compute the number of chunks
+          # a full chunk has 4 + 4 bytes overhead, a partial chunk is len.to_s(16).size + 4
+          orig_body_size = @io.size
+          n_full_chunks = orig_body_size / CHUNK_SIZE
+          partial_bytes = orig_body_size % CHUNK_SIZE
+          chunked_body_size = n_full_chunks * (CHUNK_SIZE + 8)
+          chunked_body_size += partial_bytes.to_s(16).size + partial_bytes + 4 unless  partial_bytes.zero?
+          trailer_size = ChecksumAlgorithm.trailer_length(@algorithm, @location_name)
+          chunked_body_size + trailer_size
+        end
+
+        def rewind
+          @io.rewind
+        end
+
+        def read(length, buf)
+          # account for possible leftover bytes at the end, if we have trailer bytes, send them
+          if @trailer_io
+            return @trailer_io.read(length, buf)
+          end
+
+          chunk = @io.read(length)
+          if chunk
+            @digest.update(chunk)
+            application_chunked = "#{chunk.bytesize.to_s(16)}\r\n#{chunk}\r\n"
+            return StringIO.new(application_chunked).read(application_chunked.size, buf)
+          else
+            trailers = {}
+            trailers[@location_name] = @digest.base64digest
+            trailers = trailers.map { |k,v| "#{k}:#{v}"}.join("\r\n")
+            @trailer_io = StringIO.new("0\r\n#{trailers}\r\n\r\n")
+            chunk = @trailer_io.read(length, buf)
+          end
+          chunk
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/http_checksum.rb

@@ -11,7 +11,8 @@ module Aws
         CHUNK_SIZE = 1 * 1024 * 1024 # one MB
 
         def call(context)
-          if context.operation.http_checksum_required
+          if checksum_required?(context) &&
+             !context[:checksum_algorithms] # skip in favor of flexible checksum
             body = context.http_request.body
             context.http_request.headers['Content-Md5'] ||= md5(body)
           end
@@ -20,6 +21,12 @@ module Aws
 
         private
 
+        def checksum_required?(context)
+          context.operation.http_checksum_required ||
+            (context.operation.http_checksum &&
+              context.operation.http_checksum['requestChecksumRequired'])
+        end
+
         # @param [File, Tempfile, IO#read, String] value
         # @return [String<MD5>]
         def md5(value)

data/lib/aws-sdk-core/plugins/retries/error_inspector.rb

@@ -82,7 +82,7 @@ module Aws
         end
 
         def checksum?
-          CHECKSUM_ERRORS.include?(@name) || @error.is_a?(Errors::ChecksumError)
+          CHECKSUM_ERRORS.include?(@name)
         end
 
         def networking?

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -134,7 +134,7 @@ module Aws
         def apply_authtype(context)
           if context.operation['authtype'].eql?('v4-unsigned-body') &&
              context.http_request.endpoint.scheme.eql?('https')
-            context.http_request.headers['X-Amz-Content-Sha256'] = 'UNSIGNED-PAYLOAD'
+            context.http_request.headers['X-Amz-Content-Sha256'] ||= 'UNSIGNED-PAYLOAD'
           end
           context
         end

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -19,6 +19,9 @@ module Aws
 
     def initialize(options = {})
       @mutex = Mutex.new
+      @before_refresh = options.delete(:before_refresh) if Hash === options
+
+      @before_refresh.call(self) if @before_refresh
       refresh
     end
 
@@ -37,7 +40,11 @@ module Aws
     # Refresh credentials.
     # @return [void]
     def refresh!
-      @mutex.synchronize { refresh }
+      @mutex.synchronize do
+        @before_refresh.call(self) if @before_refresh
+
+        refresh
+      end
     end
 
     private
@@ -47,7 +54,11 @@ module Aws
     def refresh_if_near_expiration
       if near_expiration?
         @mutex.synchronize do
-          refresh if near_expiration?
+          if near_expiration?
+            @before_refresh.call(self) if @before_refresh
+
+            refresh
+          end
         end
       end
     end

data/lib/aws-sdk-core/shared_config.rb

@@ -100,7 +100,7 @@ module Aws
     #   or `nil` if no valid credentials were found.
     def credentials(opts = {})
       p = opts[:profile] || @profile_name
-      validate_profile_exists(p) if credentials_present?
+      validate_profile_exists(p)
       if (credentials = credentials_from_shared(p, opts))
         credentials
       elsif (credentials = credentials_from_config(p, opts))
@@ -195,11 +195,6 @@ module Aws
       value
     end
 
-    def credentials_present?
-      (@parsed_credentials && !@parsed_credentials.empty?) ||
-        (@parsed_config && !@parsed_config.empty?)
-    end
-
     def assume_role_from_profile(cfg, profile, opts, chain_config)
       if cfg && prof_cfg = cfg[profile]
         opts[:source_profile] ||= prof_cfg['source_profile']

data/lib/aws-sdk-core/sso_credentials.rb

@@ -63,6 +63,11 @@ module Aws
     #
     # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
     #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
 
       missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }

data/lib/aws-sdk-sso/client.rb

@@ -27,6 +27,7 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
 require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/http_checksum.rb'
+require 'aws-sdk-core/plugins/checksum_algorithm.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/recursion_detection.rb'
 require 'aws-sdk-core/plugins/signature_v4.rb'
@@ -75,6 +76,7 @@ module Aws::SSO
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
     add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::HttpChecksum)
+    add_plugin(Aws::Plugins::ChecksumAlgorithm)
     add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::RecursionDetection)
     add_plugin(Aws::Plugins::SignatureV4)
@@ -543,7 +545,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.126.1'
+      context[:gem_version] = '3.128.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.126.1'
+  GEM_VERSION = '3.128.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -27,6 +27,7 @@ require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
 require 'aws-sdk-core/plugins/transfer_encoding.rb'
 require 'aws-sdk-core/plugins/http_checksum.rb'
+require 'aws-sdk-core/plugins/checksum_algorithm.rb'
 require 'aws-sdk-core/plugins/defaults_mode.rb'
 require 'aws-sdk-core/plugins/recursion_detection.rb'
 require 'aws-sdk-core/plugins/signature_v4.rb'
@@ -76,6 +77,7 @@ module Aws::STS
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
     add_plugin(Aws::Plugins::TransferEncoding)
     add_plugin(Aws::Plugins::HttpChecksum)
+    add_plugin(Aws::Plugins::ChecksumAlgorithm)
     add_plugin(Aws::Plugins::DefaultsMode)
     add_plugin(Aws::Plugins::RecursionDetection)
     add_plugin(Aws::Plugins::SignatureV4)
@@ -639,7 +641,7 @@ module Aws::STS
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
-    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
     #
     # @option params [Array<String>] :transitive_tag_keys
     #   A list of keys for session tags that you want to set as transitive. If
@@ -1177,19 +1179,20 @@ module Aws::STS
 
     # Returns a set of temporary security credentials for users who have
     # been authenticated in a mobile or web application with a web identity
-    # provider. Example providers include Amazon Cognito, Login with Amazon,
-    # Facebook, Google, or any OpenID Connect-compatible identity provider.
+    # provider. Example providers include the OAuth 2.0 providers Login with
+    # Amazon and Facebook, or any OpenID Connect-compatible identity
+    # provider such as Google or [Amazon Cognito federated identities][1].
     #
     # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
     # can use Amazon Cognito with the [Amazon Web Services SDK for iOS
-    # Developer Guide][1] and the [Amazon Web Services SDK for Android
-    # Developer Guide][2] to uniquely identify a user. You can also supply
+    # Developer Guide][2] and the [Amazon Web Services SDK for Android
+    # Developer Guide][3] to uniquely identify a user. You can also supply
     # the user with a consistent identity throughout the lifetime of an
     # application.
     #
-    #  To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
+    #  To learn more about Amazon Cognito, see [Amazon Cognito Overview][4]
     # in *Amazon Web Services SDK for Android Developer Guide* and [Amazon
-    # Cognito Overview][4] in the *Amazon Web Services SDK for iOS Developer
+    # Cognito Overview][5] in the *Amazon Web Services SDK for iOS Developer
     # Guide*.
     #
     #  </note>
@@ -1204,8 +1207,8 @@ module Aws::STS
     # a token from the web identity provider. For a comparison of
     # `AssumeRoleWithWebIdentity` with the other API operations that produce
     # temporary credentials, see [Requesting Temporary Security
-    # Credentials][5] and [Comparing the Amazon Web Services STS API
-    # operations][6] in the *IAM User Guide*.
+    # Credentials][6] and [Comparing the Amazon Web Services STS API
+    # operations][7] in the *IAM User Guide*.
     #
     # The temporary security credentials returned by this API consist of an
     # access key ID, a secret access key, and a security token. Applications
@@ -1221,11 +1224,11 @@ module Aws::STS
     # to the maximum session duration setting for the role. This setting can
     # have a value from 1 hour to 12 hours. To learn how to view the maximum
     # value for your role, see [View the Maximum Session Duration Setting
-    # for a Role][7] in the *IAM User Guide*. The maximum session duration
+    # for a Role][8] in the *IAM User Guide*. The maximum session duration
     # limit applies when you use the `AssumeRole*` API operations or the
     # `assume-role*` CLI commands. However the limit does not apply when you
     # use those operations to create a console URL. For more information,
-    # see [Using IAM Roles][8] in the *IAM User Guide*.
+    # see [Using IAM Roles][9] in the *IAM User Guide*.
     #
     # **Permissions**
     #
@@ -1234,7 +1237,7 @@ module Aws::STS
     # Amazon Web Services service with the following exception: you cannot
     # call the STS `GetFederationToken` or `GetSessionToken` API operations.
     #
-    # (Optional) You can pass inline or managed [session policies][9] to
+    # (Optional) You can pass inline or managed [session policies][10] to
     # this operation. You can pass a single JSON policy document to use as
     # an inline session policy. You can also specify up to 10 managed
     # policies to use as managed session policies. The plaintext that you
@@ -1246,7 +1249,7 @@ module Aws::STS
     # Services API calls to access resources in the account that owns the
     # role. You cannot use session policies to grant more permissions than
     # those allowed by the identity-based policy of the role that is being
-    # assumed. For more information, see [Session Policies][9] in the *IAM
+    # assumed. For more information, see [Session Policies][10] in the *IAM
     # User Guide*.
     #
     # **Tags**
@@ -1254,12 +1257,12 @@ module Aws::STS
     # (Optional) You can configure your IdP to pass attributes into your web
     # identity token as session tags. Each session tag consists of a key
     # name and an associated value. For more information about session tags,
-    # see [Passing Session Tags in STS][10] in the *IAM User Guide*.
+    # see [Passing Session Tags in STS][11] in the *IAM User Guide*.
     #
     # You can pass up to 50 session tags. The plaintext session tag keys
     # can’t exceed 128 characters and the values can’t exceed 256
     # characters. For these and additional limits, see [IAM and STS
-    # Character Limits][11] in the *IAM User Guide*.
+    # Character Limits][12] in the *IAM User Guide*.
     #
     # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
     # policies and session tags into a packed binary format that has a
@@ -1277,12 +1280,12 @@ module Aws::STS
     # An administrator must grant you the permissions necessary to pass
     # session tags. The administrator can also create granular permissions
     # to allow you to pass only specific session tags. For more information,
-    # see [Tutorial: Using Tags for Attribute-Based Access Control][12] in
+    # see [Tutorial: Using Tags for Attribute-Based Access Control][13] in
     # the *IAM User Guide*.
     #
     # You can set the session tags as transitive. Transitive tags persist
     # during role chaining. For more information, see [Chaining Roles with
-    # Session Tags][13] in the *IAM User Guide*.
+    # Session Tags][14] in the *IAM User Guide*.
     #
     # **Identities**
     #
@@ -1294,54 +1297,55 @@ module Aws::STS
     # specified in the role's trust policy.
     #
     # Calling `AssumeRoleWithWebIdentity` can result in an entry in your
-    # CloudTrail logs. The entry includes the [Subject][14] of the provided
+    # CloudTrail logs. The entry includes the [Subject][15] of the provided
     # web identity token. We recommend that you avoid using any personally
     # identifiable information (PII) in this field. For example, you could
     # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
-    # specification][15].
+    # specification][16].
     #
     # For more information about how to use web identity federation and the
     # `AssumeRoleWithWebIdentity` API, see the following resources:
     #
-    # * [Using Web Identity Federation API Operations for Mobile Apps][16]
-    #   and [Federation Through a Web-based Identity Provider][17].
+    # * [Using Web Identity Federation API Operations for Mobile Apps][17]
+    #   and [Federation Through a Web-based Identity Provider][18].
     #
-    # * [ Web Identity Federation Playground][18]. Walk through the process
+    # * [ Web Identity Federation Playground][19]. Walk through the process
     #   of authenticating through Login with Amazon, Facebook, or Google,
     #   getting temporary security credentials, and then using those
     #   credentials to make a request to Amazon Web Services.
     #
-    # * [Amazon Web Services SDK for iOS Developer Guide][1] and [Amazon Web
-    #   Services SDK for Android Developer Guide][2]. These toolkits contain
+    # * [Amazon Web Services SDK for iOS Developer Guide][2] and [Amazon Web
+    #   Services SDK for Android Developer Guide][3]. These toolkits contain
     #   sample apps that show how to invoke the identity providers. The
     #   toolkits then show how to use the information from these providers
     #   to get and use temporary security credentials.
     #
-    # * [Web Identity Federation with Mobile Applications][19]. This article
+    # * [Web Identity Federation with Mobile Applications][20]. This article
     #   discusses web identity federation and shows an example of how to use
     #   web identity federation to get access to content in Amazon S3.
     #
     #
     #
-    # [1]: http://aws.amazon.com/sdkforios/
-    # [2]: http://aws.amazon.com/sdkforandroid/
-    # [3]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
-    # [4]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
-    # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
-    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
-    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
-    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
-    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
-    # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
-    # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
-    # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
-    # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
-    # [14]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
-    # [15]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
-    # [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
-    # [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
-    # [18]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
-    # [19]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
+    # [2]: http://aws.amazon.com/sdkforios/
+    # [3]: http://aws.amazon.com/sdkforandroid/
+    # [4]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
+    # [5]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
+    # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
+    # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
+    # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
+    # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
+    # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
+    # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
+    # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
+    # [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
+    # [15]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
+    # [16]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
+    # [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
+    # [18]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
+    # [19]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
+    # [20]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
     #
     # @option params [required, String] :role_arn
     #   The Amazon Resource Name (ARN) of the role that the caller is
@@ -1368,13 +1372,13 @@ module Aws::STS
     #   `AssumeRoleWithWebIdentity` call.
     #
     # @option params [String] :provider_id
-    #   The fully qualified host component of the domain name of the identity
-    #   provider.
+    #   The fully qualified host component of the domain name of the OAuth 2.0
+    #   identity provider. Do not specify this value for an OpenID Connect
+    #   identity provider.
     #
-    #   Specify this value only for OAuth 2.0 access tokens. Currently
-    #   `www.amazon.com` and `graph.facebook.com` are the only supported
-    #   identity providers for OAuth 2.0 access tokens. Do not include URL
-    #   schemes and port numbers.
+    #   Currently `www.amazon.com` and `graph.facebook.com` are the only
+    #   supported identity providers for OAuth 2.0 access tokens. Do not
+    #   include URL schemes and port numbers.
     #
     #   Do not specify this value for OpenID Connect ID tokens.
     #
@@ -2286,7 +2290,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.126.1'
+      context[:gem_version] = '3.128.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts/types.rb

@@ -213,7 +213,7 @@ module Aws::STS
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
-    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] transitive_tag_keys
@@ -710,13 +710,13 @@ module Aws::STS
     #   @return [String]
     #
     # @!attribute [rw] provider_id
-    #   The fully qualified host component of the domain name of the
-    #   identity provider.
+    #   The fully qualified host component of the domain name of the OAuth
+    #   2.0 identity provider. Do not specify this value for an OpenID
+    #   Connect identity provider.
     #
-    #   Specify this value only for OAuth 2.0 access tokens. Currently
-    #   `www.amazon.com` and `graph.facebook.com` are the only supported
-    #   identity providers for OAuth 2.0 access tokens. Do not include URL
-    #   schemes and port numbers.
+    #   Currently `www.amazon.com` and `graph.facebook.com` are the only
+    #   supported identity providers for OAuth 2.0 access tokens. Do not
+    #   include URL schemes and port numbers.
     #
     #   Do not specify this value for OpenID Connect ID tokens.
     #   @return [String]

data/lib/aws-sdk-sts.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.126.1'
+  GEM_VERSION = '3.128.0'
 
 end

data/lib/seahorse/model/operation.rb

@@ -25,6 +25,9 @@ module Seahorse
       # @return [Boolean]
       attr_accessor :http_checksum_required
 
+      # @return [Hash]
+      attr_accessor :http_checksum
+
       # @return [Boolean]
       attr_accessor :deprecated
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.126.1
+  version: 3.128.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-14 00:00:00.000000000 Z
+date: 2022-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath
@@ -139,6 +139,7 @@ files:
 - lib/aws-sdk-core/plugins/apig_authorizer_token.rb
 - lib/aws-sdk-core/plugins/apig_credentials_configuration.rb
 - lib/aws-sdk-core/plugins/apig_user_agent.rb
+- lib/aws-sdk-core/plugins/checksum_algorithm.rb
 - lib/aws-sdk-core/plugins/client_metrics_plugin.rb
 - lib/aws-sdk-core/plugins/client_metrics_send_plugin.rb
 - lib/aws-sdk-core/plugins/credentials_configuration.rb