aws-sdk-core 3.127.0 → 3.130.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +27 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/assume_role_credentials.rb +1 -0
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +2 -1
- data/lib/aws-sdk-core/client_stubs.rb +5 -1
- data/lib/aws-sdk-core/ecs_credentials.rb +1 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +53 -6
- data/lib/aws-sdk-core/pageable_response.rb +72 -32
- data/lib/aws-sdk-core/plugins/response_paging.rb +1 -1
- data/lib/aws-sdk-core/plugins/signature_v4.rb +1 -0
- data/lib/aws-sdk-core/plugins/stub_responses.rb +5 -1
- data/lib/aws-sdk-core/process_credentials.rb +3 -2
- data/lib/aws-sdk-core/refreshing_credentials.rb +29 -11
- data/lib/aws-sdk-core/sso_credentials.rb +1 -0
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +53 -51
- data/lib/aws-sdk-sts/types.rb +7 -7
- data/lib/aws-sdk-sts.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d7804cbac83996a95b2cacbd808389798eb0b461229a9e8e2a966cd28d599aa6
|
4
|
+
data.tar.gz: ce3557bcbd4d6a5edaa1bc99fbd7e75f9b2e23eb6fadb8be06a69b91e2e8a4a7
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d1d0b4ec0b478389290d84409869ed012e4a2ce6408d3dc5c46c618771cc970d9086eb4686dd64b740ebd5eeafe7cc0e8b6fa63d3f89202e8f2841d9a203bdbb
|
7
|
+
data.tar.gz: f4c41ffb85d712bcaf8701aa61a886837517df23e14a53c2b9201d86bfcc1fd41b5b8badded9f91aeb0ee77553c9e2af80b4c82d1e249486b5630afc1582939c
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,33 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
3.130.0 (2022-03-11)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Feature - Asynchronously refresh AWS credentials (#2641).
|
8
|
+
|
9
|
+
* Issue - Add x-amz-region-set to list of headers deleted for re-sign.
|
10
|
+
|
11
|
+
3.129.1 (2022-03-10)
|
12
|
+
------------------
|
13
|
+
|
14
|
+
* Issue - Make stubs thread safe by creating new responses for each operation call (#2675).
|
15
|
+
|
16
|
+
3.129.0 (2022-03-08)
|
17
|
+
------------------
|
18
|
+
|
19
|
+
* Feature - Add support for cases when `InstanceProfileCredentials` (IMDS) is unable to refresh credentials.
|
20
|
+
|
21
|
+
3.128.1 (2022-03-07)
|
22
|
+
------------------
|
23
|
+
|
24
|
+
* Issue - Fixed `Aws::PageableResponse` invalidating Ruby's global constant cache.
|
25
|
+
|
26
|
+
3.128.0 (2022-03-04)
|
27
|
+
------------------
|
28
|
+
|
29
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
30
|
+
|
4
31
|
3.127.0 (2022-02-24)
|
5
32
|
------------------
|
6
33
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.130.0
|
@@ -17,7 +17,7 @@ module Aws
|
|
17
17
|
# ...
|
18
18
|
# )
|
19
19
|
# For full list of parameters accepted
|
20
|
-
# @see Aws::STS::Client#assume_role_with_web_identity
|
20
|
+
# @see Aws::STS::Client#assume_role_with_web_identity
|
21
21
|
#
|
22
22
|
#
|
23
23
|
# If you omit `:client` option, a new {STS::Client} object will be
|
@@ -48,6 +48,7 @@ module Aws
|
|
48
48
|
client_opts = {}
|
49
49
|
@assume_role_web_identity_params = {}
|
50
50
|
@token_file = options.delete(:web_identity_token_file)
|
51
|
+
@async_refresh = true
|
51
52
|
options.each_pair do |key, value|
|
52
53
|
if self.class.assume_role_web_identity_options.include?(key)
|
53
54
|
@assume_role_web_identity_params[key] = value
|
@@ -262,13 +262,17 @@ module Aws
|
|
262
262
|
end
|
263
263
|
|
264
264
|
def convert_stub(operation_name, stub)
|
265
|
-
case stub
|
265
|
+
stub = case stub
|
266
266
|
when Proc then stub
|
267
267
|
when Exception, Class then { error: stub }
|
268
268
|
when String then service_error_stub(stub)
|
269
269
|
when Hash then http_response_stub(operation_name, stub)
|
270
270
|
else { data: stub }
|
271
271
|
end
|
272
|
+
if Hash === stub
|
273
|
+
stub[:mutex] = Mutex.new
|
274
|
+
end
|
275
|
+
stub
|
272
276
|
end
|
273
277
|
|
274
278
|
def service_error_stub(error_code)
|
@@ -78,6 +78,8 @@ module Aws
|
|
78
78
|
@backoff = backoff(options[:backoff])
|
79
79
|
@token_ttl = options[:token_ttl] || 21_600
|
80
80
|
@token = nil
|
81
|
+
@no_refresh_until = nil
|
82
|
+
@async_refresh = false
|
81
83
|
super
|
82
84
|
end
|
83
85
|
|
@@ -125,18 +127,48 @@ module Aws
|
|
125
127
|
end
|
126
128
|
|
127
129
|
def refresh
|
130
|
+
if @no_refresh_until && @no_refresh_until > Time.now
|
131
|
+
warn_expired_credentials
|
132
|
+
return
|
133
|
+
end
|
134
|
+
|
128
135
|
# Retry loading credentials up to 3 times is the instance metadata
|
129
136
|
# service is responding but is returning invalid JSON documents
|
130
137
|
# in response to the GET profile credentials call.
|
131
138
|
begin
|
132
139
|
retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
|
133
140
|
c = Aws::Json.load(get_credentials.to_s)
|
134
|
-
@credentials
|
135
|
-
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
141
|
+
if empty_credentials?(@credentials)
|
142
|
+
@credentials = Credentials.new(
|
143
|
+
c['AccessKeyId'],
|
144
|
+
c['SecretAccessKey'],
|
145
|
+
c['Token']
|
146
|
+
)
|
147
|
+
@expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
|
148
|
+
if @expiration && @expiration < Time.now
|
149
|
+
@no_refresh_until = Time.now + refresh_offset
|
150
|
+
warn_expired_credentials
|
151
|
+
end
|
152
|
+
else
|
153
|
+
# credentials are already set, update them only if the new ones are not empty
|
154
|
+
if !c['AccessKeyId'] || c['AccessKeyId'].empty?
|
155
|
+
# error getting new credentials
|
156
|
+
@no_refresh_until = Time.now + refresh_offset
|
157
|
+
warn_expired_credentials
|
158
|
+
else
|
159
|
+
@credentials = Credentials.new(
|
160
|
+
c['AccessKeyId'],
|
161
|
+
c['SecretAccessKey'],
|
162
|
+
c['Token']
|
163
|
+
)
|
164
|
+
@expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
|
165
|
+
if @expiration && @expiration < Time.now
|
166
|
+
@no_refresh_until = Time.now + refresh_offset
|
167
|
+
warn_expired_credentials
|
168
|
+
end
|
169
|
+
end
|
170
|
+
end
|
171
|
+
|
140
172
|
end
|
141
173
|
rescue Aws::Json::ParseError
|
142
174
|
raise Aws::Errors::MetadataParserError
|
@@ -260,6 +292,21 @@ module Aws
|
|
260
292
|
end
|
261
293
|
end
|
262
294
|
|
295
|
+
def warn_expired_credentials
|
296
|
+
warn("Attempting credential expiration extension due to a credential "\
|
297
|
+
"service availability issue. A refresh of these credentials "\
|
298
|
+
"will be attempted again in 5 minutes.")
|
299
|
+
end
|
300
|
+
|
301
|
+
def empty_credentials?(creds)
|
302
|
+
!creds || !creds.access_key_id || creds.access_key_id.empty?
|
303
|
+
end
|
304
|
+
|
305
|
+
# Compute an offset for refresh with jitter
|
306
|
+
def refresh_offset
|
307
|
+
300 + rand(0..60)
|
308
|
+
end
|
309
|
+
|
263
310
|
# @api private
|
264
311
|
# Token used to fetch IMDS profile and credentials
|
265
312
|
class Token
|
@@ -48,11 +48,11 @@ module Aws
|
|
48
48
|
#
|
49
49
|
module PageableResponse
|
50
50
|
|
51
|
-
def self.
|
52
|
-
base.extend
|
53
|
-
base.
|
54
|
-
base.instance_variable_set(
|
55
|
-
base
|
51
|
+
def self.apply(base)
|
52
|
+
base.extend Extension
|
53
|
+
base.instance_variable_set(:@last_page, nil)
|
54
|
+
base.instance_variable_set(:@more_results, nil)
|
55
|
+
base
|
56
56
|
end
|
57
57
|
|
58
58
|
# @return [Paging::Pager]
|
@@ -62,39 +62,26 @@ module Aws
|
|
62
62
|
# when this method returns `false` will raise an error.
|
63
63
|
# @return [Boolean]
|
64
64
|
def last_page?
|
65
|
-
|
66
|
-
@last_page = !@pager.truncated?(self)
|
67
|
-
end
|
68
|
-
@last_page
|
65
|
+
# Actual implementation is in PageableResponse::Extension
|
69
66
|
end
|
70
67
|
|
71
68
|
# Returns `true` if there are more results. Calling {#next_page} will
|
72
69
|
# return the next response.
|
73
70
|
# @return [Boolean]
|
74
71
|
def next_page?
|
75
|
-
|
72
|
+
# Actual implementation is in PageableResponse::Extension
|
76
73
|
end
|
77
74
|
|
78
75
|
# @return [Seahorse::Client::Response]
|
79
76
|
def next_page(params = {})
|
80
|
-
|
81
|
-
raise LastPageError.new(self)
|
82
|
-
else
|
83
|
-
next_response(params)
|
84
|
-
end
|
77
|
+
# Actual implementation is in PageableResponse::Extension
|
85
78
|
end
|
86
79
|
|
87
80
|
# Yields the current and each following response to the given block.
|
88
81
|
# @yieldparam [Response] response
|
89
82
|
# @return [Enumerable,nil] Returns a new Enumerable if no block is given.
|
90
83
|
def each(&block)
|
91
|
-
|
92
|
-
response = self
|
93
|
-
yield(response)
|
94
|
-
until response.last_page?
|
95
|
-
response = response.next_page
|
96
|
-
yield(response)
|
97
|
-
end
|
84
|
+
# Actual implementation is in PageableResponse::Extension
|
98
85
|
end
|
99
86
|
alias each_page each
|
100
87
|
|
@@ -105,9 +92,7 @@ module Aws
|
|
105
92
|
# @return [Seahorse::Client::Response] Returns the next page of
|
106
93
|
# results.
|
107
94
|
def next_response(params)
|
108
|
-
|
109
|
-
request = context.client.build_request(context.operation_name, params)
|
110
|
-
request.send_request
|
95
|
+
# Actual implementation is in PageableResponse::Extension
|
111
96
|
end
|
112
97
|
|
113
98
|
# @param [Hash] params A hash of additional request params to
|
@@ -115,13 +100,7 @@ module Aws
|
|
115
100
|
# @return [Hash] Returns the hash of request parameters for the
|
116
101
|
# next page, merging any given params.
|
117
102
|
def next_page_params(params)
|
118
|
-
#
|
119
|
-
# Sometimes a token can be nil and merge would not include it.
|
120
|
-
tokens = @pager.tokens.values.map(&:to_sym)
|
121
|
-
|
122
|
-
params_without_tokens = context[:original_params].reject { |k, _v| tokens.include?(k) }
|
123
|
-
params_without_tokens.merge!(@pager.next_tokens(self).merge(params))
|
124
|
-
params_without_tokens
|
103
|
+
# Actual implementation is in PageableResponse::Extension
|
125
104
|
end
|
126
105
|
|
127
106
|
# Raised when calling {PageableResponse#next_page} on a pager that
|
@@ -168,5 +147,66 @@ module Aws
|
|
168
147
|
end
|
169
148
|
|
170
149
|
end
|
150
|
+
|
151
|
+
# The actual decorator module implementation. It is in a distinct module
|
152
|
+
# so that it can be used to extend objects without busting Ruby's constant cache.
|
153
|
+
# object.extend(mod) bust the constant cache only if `mod` contains constants of its own.
|
154
|
+
# @api private
|
155
|
+
module Extension
|
156
|
+
|
157
|
+
include Enumerable
|
158
|
+
include UnsafeEnumerableMethods
|
159
|
+
|
160
|
+
attr_accessor :pager
|
161
|
+
|
162
|
+
def last_page?
|
163
|
+
if @last_page.nil?
|
164
|
+
@last_page = !@pager.truncated?(self)
|
165
|
+
end
|
166
|
+
@last_page
|
167
|
+
end
|
168
|
+
|
169
|
+
def next_page?
|
170
|
+
!last_page?
|
171
|
+
end
|
172
|
+
|
173
|
+
def next_page(params = {})
|
174
|
+
if last_page?
|
175
|
+
raise LastPageError.new(self)
|
176
|
+
else
|
177
|
+
next_response(params)
|
178
|
+
end
|
179
|
+
end
|
180
|
+
|
181
|
+
def each(&block)
|
182
|
+
return enum_for(:each_page) unless block_given?
|
183
|
+
response = self
|
184
|
+
yield(response)
|
185
|
+
until response.last_page?
|
186
|
+
response = response.next_page
|
187
|
+
yield(response)
|
188
|
+
end
|
189
|
+
end
|
190
|
+
alias each_page each
|
191
|
+
|
192
|
+
private
|
193
|
+
|
194
|
+
def next_response(params)
|
195
|
+
params = next_page_params(params)
|
196
|
+
request = context.client.build_request(context.operation_name, params)
|
197
|
+
request.send_request
|
198
|
+
end
|
199
|
+
|
200
|
+
def next_page_params(params)
|
201
|
+
# Remove all previous tokens from original params
|
202
|
+
# Sometimes a token can be nil and merge would not include it.
|
203
|
+
tokens = @pager.tokens.values.map(&:to_sym)
|
204
|
+
|
205
|
+
params_without_tokens = context[:original_params].reject { |k, _v| tokens.include?(k) }
|
206
|
+
params_without_tokens.merge!(@pager.next_tokens(self).merge(params))
|
207
|
+
params_without_tokens
|
208
|
+
end
|
209
|
+
|
210
|
+
end
|
171
211
|
end
|
172
212
|
end
|
@@ -10,7 +10,7 @@ module Aws
|
|
10
10
|
def call(context)
|
11
11
|
context[:original_params] = context.params
|
12
12
|
resp = @handler.call(context)
|
13
|
-
|
13
|
+
PageableResponse.apply(resp)
|
14
14
|
resp.pager = context.operation[:pager] || Aws::Pager::NullPager.new
|
15
15
|
resp
|
16
16
|
end
|
@@ -98,6 +98,7 @@ module Aws
|
|
98
98
|
req.headers.delete('Authorization')
|
99
99
|
req.headers.delete('X-Amz-Security-Token')
|
100
100
|
req.headers.delete('X-Amz-Date')
|
101
|
+
req.headers.delete('x-Amz-Region-Set')
|
101
102
|
|
102
103
|
if context.config.respond_to?(:clock_skew) &&
|
103
104
|
context.config.clock_skew &&
|
@@ -51,7 +51,11 @@ requests are made, and retries are disabled.
|
|
51
51
|
stub = context.client.next_stub(context)
|
52
52
|
resp = Seahorse::Client::Response.new(context: context)
|
53
53
|
async_mode = context.client.is_a? Seahorse::Client::AsyncBase
|
54
|
-
|
54
|
+
if Hash === stub && stub[:mutex]
|
55
|
+
stub[:mutex].synchronize { apply_stub(stub, resp, async_mode) }
|
56
|
+
else
|
57
|
+
apply_stub(stub, resp, async_mode)
|
58
|
+
end
|
55
59
|
|
56
60
|
async_mode ? Seahorse::Client::AsyncResponse.new(
|
57
61
|
context: context, stream: context[:input_event_stream_handler].event_emitter.stream, sync_queue: Queue.new) : resp
|
@@ -27,6 +27,7 @@ module Aws
|
|
27
27
|
def initialize(process)
|
28
28
|
@process = process
|
29
29
|
@credentials = credentials_from_process(@process)
|
30
|
+
@async_refresh = false
|
30
31
|
|
31
32
|
super
|
32
33
|
end
|
@@ -73,9 +74,9 @@ module Aws
|
|
73
74
|
@credentials = credentials_from_process(@process)
|
74
75
|
end
|
75
76
|
|
76
|
-
def near_expiration?
|
77
|
+
def near_expiration?(expiration_length)
|
77
78
|
# are we within 5 minutes of expiration?
|
78
|
-
@expiration && (Time.now.to_i +
|
79
|
+
@expiration && (Time.now.to_i + expiration_length) > @expiration.to_i
|
79
80
|
end
|
80
81
|
end
|
81
82
|
end
|
@@ -17,6 +17,9 @@ module Aws
|
|
17
17
|
# @api private
|
18
18
|
module RefreshingCredentials
|
19
19
|
|
20
|
+
SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
|
21
|
+
ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
|
22
|
+
|
20
23
|
def initialize(options = {})
|
21
24
|
@mutex = Mutex.new
|
22
25
|
@before_refresh = options.delete(:before_refresh) if Hash === options
|
@@ -27,13 +30,13 @@ module Aws
|
|
27
30
|
|
28
31
|
# @return [Credentials]
|
29
32
|
def credentials
|
30
|
-
refresh_if_near_expiration
|
33
|
+
refresh_if_near_expiration!
|
31
34
|
@credentials
|
32
35
|
end
|
33
36
|
|
34
37
|
# @return [Time,nil]
|
35
38
|
def expiration
|
36
|
-
refresh_if_near_expiration
|
39
|
+
refresh_if_near_expiration!
|
37
40
|
@expiration
|
38
41
|
end
|
39
42
|
|
@@ -49,24 +52,39 @@ module Aws
|
|
49
52
|
|
50
53
|
private
|
51
54
|
|
52
|
-
# Refreshes
|
53
|
-
#
|
54
|
-
|
55
|
-
|
55
|
+
# Refreshes credentials asynchronously and synchronously.
|
56
|
+
# If we are near to expiration, block while getting new credentials.
|
57
|
+
# Otherwise, if we're approaching expiration, use the existing credentials
|
58
|
+
# but attempt a refresh in the background.
|
59
|
+
def refresh_if_near_expiration!
|
60
|
+
# Note: This check is an optimization. Rather than acquire the mutex on every #refresh_if_near_expiration
|
61
|
+
# call, we check before doing so, and then we check within the mutex to avoid a race condition.
|
62
|
+
# See issue: https://github.com/aws/aws-sdk-ruby/issues/2641 for more info.
|
63
|
+
if near_expiration?(SYNC_EXPIRATION_LENGTH)
|
56
64
|
@mutex.synchronize do
|
57
|
-
if near_expiration?
|
65
|
+
if near_expiration?(SYNC_EXPIRATION_LENGTH)
|
58
66
|
@before_refresh.call(self) if @before_refresh
|
59
|
-
|
60
67
|
refresh
|
61
68
|
end
|
62
69
|
end
|
70
|
+
elsif @async_refresh && near_expiration?(ASYNC_EXPIRATION_LENGTH)
|
71
|
+
unless @mutex.locked?
|
72
|
+
Thread.new do
|
73
|
+
@mutex.synchronize do
|
74
|
+
if near_expiration?(ASYNC_EXPIRATION_LENGTH)
|
75
|
+
@before_refresh.call(self) if @before_refresh
|
76
|
+
refresh
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
63
81
|
end
|
64
82
|
end
|
65
83
|
|
66
|
-
def near_expiration?
|
84
|
+
def near_expiration?(expiration_length)
|
67
85
|
if @expiration
|
68
|
-
#
|
69
|
-
(Time.now.to_i +
|
86
|
+
# Are we within expiration?
|
87
|
+
(Time.now.to_i + expiration_length) > @expiration.to_i
|
70
88
|
else
|
71
89
|
true
|
72
90
|
end
|
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -641,7 +641,7 @@ module Aws::STS
|
|
641
641
|
#
|
642
642
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
643
643
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
644
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
644
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
|
645
645
|
#
|
646
646
|
# @option params [Array<String>] :transitive_tag_keys
|
647
647
|
# A list of keys for session tags that you want to set as transitive. If
|
@@ -1179,19 +1179,20 @@ module Aws::STS
|
|
1179
1179
|
|
1180
1180
|
# Returns a set of temporary security credentials for users who have
|
1181
1181
|
# been authenticated in a mobile or web application with a web identity
|
1182
|
-
# provider. Example providers include
|
1183
|
-
# Facebook,
|
1182
|
+
# provider. Example providers include the OAuth 2.0 providers Login with
|
1183
|
+
# Amazon and Facebook, or any OpenID Connect-compatible identity
|
1184
|
+
# provider such as Google or [Amazon Cognito federated identities][1].
|
1184
1185
|
#
|
1185
1186
|
# <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
|
1186
1187
|
# can use Amazon Cognito with the [Amazon Web Services SDK for iOS
|
1187
|
-
# Developer Guide][
|
1188
|
-
# Developer Guide][
|
1188
|
+
# Developer Guide][2] and the [Amazon Web Services SDK for Android
|
1189
|
+
# Developer Guide][3] to uniquely identify a user. You can also supply
|
1189
1190
|
# the user with a consistent identity throughout the lifetime of an
|
1190
1191
|
# application.
|
1191
1192
|
#
|
1192
|
-
# To learn more about Amazon Cognito, see [Amazon Cognito Overview][
|
1193
|
+
# To learn more about Amazon Cognito, see [Amazon Cognito Overview][4]
|
1193
1194
|
# in *Amazon Web Services SDK for Android Developer Guide* and [Amazon
|
1194
|
-
# Cognito Overview][
|
1195
|
+
# Cognito Overview][5] in the *Amazon Web Services SDK for iOS Developer
|
1195
1196
|
# Guide*.
|
1196
1197
|
#
|
1197
1198
|
# </note>
|
@@ -1206,8 +1207,8 @@ module Aws::STS
|
|
1206
1207
|
# a token from the web identity provider. For a comparison of
|
1207
1208
|
# `AssumeRoleWithWebIdentity` with the other API operations that produce
|
1208
1209
|
# temporary credentials, see [Requesting Temporary Security
|
1209
|
-
# Credentials][
|
1210
|
-
# operations][
|
1210
|
+
# Credentials][6] and [Comparing the Amazon Web Services STS API
|
1211
|
+
# operations][7] in the *IAM User Guide*.
|
1211
1212
|
#
|
1212
1213
|
# The temporary security credentials returned by this API consist of an
|
1213
1214
|
# access key ID, a secret access key, and a security token. Applications
|
@@ -1223,11 +1224,11 @@ module Aws::STS
|
|
1223
1224
|
# to the maximum session duration setting for the role. This setting can
|
1224
1225
|
# have a value from 1 hour to 12 hours. To learn how to view the maximum
|
1225
1226
|
# value for your role, see [View the Maximum Session Duration Setting
|
1226
|
-
# for a Role][
|
1227
|
+
# for a Role][8] in the *IAM User Guide*. The maximum session duration
|
1227
1228
|
# limit applies when you use the `AssumeRole*` API operations or the
|
1228
1229
|
# `assume-role*` CLI commands. However the limit does not apply when you
|
1229
1230
|
# use those operations to create a console URL. For more information,
|
1230
|
-
# see [Using IAM Roles][
|
1231
|
+
# see [Using IAM Roles][9] in the *IAM User Guide*.
|
1231
1232
|
#
|
1232
1233
|
# **Permissions**
|
1233
1234
|
#
|
@@ -1236,7 +1237,7 @@ module Aws::STS
|
|
1236
1237
|
# Amazon Web Services service with the following exception: you cannot
|
1237
1238
|
# call the STS `GetFederationToken` or `GetSessionToken` API operations.
|
1238
1239
|
#
|
1239
|
-
# (Optional) You can pass inline or managed [session policies][
|
1240
|
+
# (Optional) You can pass inline or managed [session policies][10] to
|
1240
1241
|
# this operation. You can pass a single JSON policy document to use as
|
1241
1242
|
# an inline session policy. You can also specify up to 10 managed
|
1242
1243
|
# policies to use as managed session policies. The plaintext that you
|
@@ -1248,7 +1249,7 @@ module Aws::STS
|
|
1248
1249
|
# Services API calls to access resources in the account that owns the
|
1249
1250
|
# role. You cannot use session policies to grant more permissions than
|
1250
1251
|
# those allowed by the identity-based policy of the role that is being
|
1251
|
-
# assumed. For more information, see [Session Policies][
|
1252
|
+
# assumed. For more information, see [Session Policies][10] in the *IAM
|
1252
1253
|
# User Guide*.
|
1253
1254
|
#
|
1254
1255
|
# **Tags**
|
@@ -1256,12 +1257,12 @@ module Aws::STS
|
|
1256
1257
|
# (Optional) You can configure your IdP to pass attributes into your web
|
1257
1258
|
# identity token as session tags. Each session tag consists of a key
|
1258
1259
|
# name and an associated value. For more information about session tags,
|
1259
|
-
# see [Passing Session Tags in STS][
|
1260
|
+
# see [Passing Session Tags in STS][11] in the *IAM User Guide*.
|
1260
1261
|
#
|
1261
1262
|
# You can pass up to 50 session tags. The plaintext session tag keys
|
1262
1263
|
# can’t exceed 128 characters and the values can’t exceed 256
|
1263
1264
|
# characters. For these and additional limits, see [IAM and STS
|
1264
|
-
# Character Limits][
|
1265
|
+
# Character Limits][12] in the *IAM User Guide*.
|
1265
1266
|
#
|
1266
1267
|
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1267
1268
|
# policies and session tags into a packed binary format that has a
|
@@ -1279,12 +1280,12 @@ module Aws::STS
|
|
1279
1280
|
# An administrator must grant you the permissions necessary to pass
|
1280
1281
|
# session tags. The administrator can also create granular permissions
|
1281
1282
|
# to allow you to pass only specific session tags. For more information,
|
1282
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
1283
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][13] in
|
1283
1284
|
# the *IAM User Guide*.
|
1284
1285
|
#
|
1285
1286
|
# You can set the session tags as transitive. Transitive tags persist
|
1286
1287
|
# during role chaining. For more information, see [Chaining Roles with
|
1287
|
-
# Session Tags][
|
1288
|
+
# Session Tags][14] in the *IAM User Guide*.
|
1288
1289
|
#
|
1289
1290
|
# **Identities**
|
1290
1291
|
#
|
@@ -1296,54 +1297,55 @@ module Aws::STS
|
|
1296
1297
|
# specified in the role's trust policy.
|
1297
1298
|
#
|
1298
1299
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your
|
1299
|
-
# CloudTrail logs. The entry includes the [Subject][
|
1300
|
+
# CloudTrail logs. The entry includes the [Subject][15] of the provided
|
1300
1301
|
# web identity token. We recommend that you avoid using any personally
|
1301
1302
|
# identifiable information (PII) in this field. For example, you could
|
1302
1303
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
1303
|
-
# specification][
|
1304
|
+
# specification][16].
|
1304
1305
|
#
|
1305
1306
|
# For more information about how to use web identity federation and the
|
1306
1307
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
1307
1308
|
#
|
1308
|
-
# * [Using Web Identity Federation API Operations for Mobile Apps][
|
1309
|
-
# and [Federation Through a Web-based Identity Provider][
|
1309
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][17]
|
1310
|
+
# and [Federation Through a Web-based Identity Provider][18].
|
1310
1311
|
#
|
1311
|
-
# * [ Web Identity Federation Playground][
|
1312
|
+
# * [ Web Identity Federation Playground][19]. Walk through the process
|
1312
1313
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
1313
1314
|
# getting temporary security credentials, and then using those
|
1314
1315
|
# credentials to make a request to Amazon Web Services.
|
1315
1316
|
#
|
1316
|
-
# * [Amazon Web Services SDK for iOS Developer Guide][
|
1317
|
-
# Services SDK for Android Developer Guide][
|
1317
|
+
# * [Amazon Web Services SDK for iOS Developer Guide][2] and [Amazon Web
|
1318
|
+
# Services SDK for Android Developer Guide][3]. These toolkits contain
|
1318
1319
|
# sample apps that show how to invoke the identity providers. The
|
1319
1320
|
# toolkits then show how to use the information from these providers
|
1320
1321
|
# to get and use temporary security credentials.
|
1321
1322
|
#
|
1322
|
-
# * [Web Identity Federation with Mobile Applications][
|
1323
|
+
# * [Web Identity Federation with Mobile Applications][20]. This article
|
1323
1324
|
# discusses web identity federation and shows an example of how to use
|
1324
1325
|
# web identity federation to get access to content in Amazon S3.
|
1325
1326
|
#
|
1326
1327
|
#
|
1327
1328
|
#
|
1328
|
-
# [1]:
|
1329
|
-
# [2]: http://aws.amazon.com/
|
1330
|
-
# [3]:
|
1331
|
-
# [4]: https://docs.aws.amazon.com/mobile/
|
1332
|
-
# [5]: https://docs.aws.amazon.com/
|
1333
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1334
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1335
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1336
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1337
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1338
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1339
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1340
|
-
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1341
|
-
# [14]:
|
1342
|
-
# [15]: http://openid.net/specs/openid-connect-core-1_0.html#
|
1343
|
-
# [16]:
|
1344
|
-
# [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1345
|
-
# [18]: https://aws.amazon.com/
|
1346
|
-
# [19]:
|
1329
|
+
# [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
|
1330
|
+
# [2]: http://aws.amazon.com/sdkforios/
|
1331
|
+
# [3]: http://aws.amazon.com/sdkforandroid/
|
1332
|
+
# [4]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
|
1333
|
+
# [5]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
|
1334
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1335
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1336
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
1337
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1338
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1339
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1340
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
1341
|
+
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
1342
|
+
# [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
1343
|
+
# [15]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
1344
|
+
# [16]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
1345
|
+
# [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
1346
|
+
# [18]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1347
|
+
# [19]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
|
1348
|
+
# [20]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
1347
1349
|
#
|
1348
1350
|
# @option params [required, String] :role_arn
|
1349
1351
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -1370,13 +1372,13 @@ module Aws::STS
|
|
1370
1372
|
# `AssumeRoleWithWebIdentity` call.
|
1371
1373
|
#
|
1372
1374
|
# @option params [String] :provider_id
|
1373
|
-
# The fully qualified host component of the domain name of the
|
1374
|
-
# provider.
|
1375
|
+
# The fully qualified host component of the domain name of the OAuth 2.0
|
1376
|
+
# identity provider. Do not specify this value for an OpenID Connect
|
1377
|
+
# identity provider.
|
1375
1378
|
#
|
1376
|
-
#
|
1377
|
-
#
|
1378
|
-
#
|
1379
|
-
# schemes and port numbers.
|
1379
|
+
# Currently `www.amazon.com` and `graph.facebook.com` are the only
|
1380
|
+
# supported identity providers for OAuth 2.0 access tokens. Do not
|
1381
|
+
# include URL schemes and port numbers.
|
1380
1382
|
#
|
1381
1383
|
# Do not specify this value for OpenID Connect ID tokens.
|
1382
1384
|
#
|
@@ -2288,7 +2290,7 @@ module Aws::STS
|
|
2288
2290
|
params: params,
|
2289
2291
|
config: config)
|
2290
2292
|
context[:gem_name] = 'aws-sdk-core'
|
2291
|
-
context[:gem_version] = '3.
|
2293
|
+
context[:gem_version] = '3.130.0'
|
2292
2294
|
Seahorse::Client::Request.new(handlers, context)
|
2293
2295
|
end
|
2294
2296
|
|
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -213,7 +213,7 @@ module Aws::STS
|
|
213
213
|
#
|
214
214
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
215
215
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
216
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
216
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
|
217
217
|
# @return [Array<Types::Tag>]
|
218
218
|
#
|
219
219
|
# @!attribute [rw] transitive_tag_keys
|
@@ -710,13 +710,13 @@ module Aws::STS
|
|
710
710
|
# @return [String]
|
711
711
|
#
|
712
712
|
# @!attribute [rw] provider_id
|
713
|
-
# The fully qualified host component of the domain name of the
|
714
|
-
# identity provider.
|
713
|
+
# The fully qualified host component of the domain name of the OAuth
|
714
|
+
# 2.0 identity provider. Do not specify this value for an OpenID
|
715
|
+
# Connect identity provider.
|
715
716
|
#
|
716
|
-
#
|
717
|
-
#
|
718
|
-
#
|
719
|
-
# schemes and port numbers.
|
717
|
+
# Currently `www.amazon.com` and `graph.facebook.com` are the only
|
718
|
+
# supported identity providers for OAuth 2.0 access tokens. Do not
|
719
|
+
# include URL schemes and port numbers.
|
720
720
|
#
|
721
721
|
# Do not specify this value for OpenID Connect ID tokens.
|
722
722
|
# @return [String]
|
data/lib/aws-sdk-sts.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.130.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-03-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|