aws-sdk-core 3.129.1 → 3.130.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 49ca96451c7816e538a74ba800cbc2ade4fcfb7a9d712fea2cc6da12deca1172
-  data.tar.gz: 12431a75db151e6c918707c1e592a1810849eebdc437cc41564cb06d536227fc
+  metadata.gz: ff22a0d39db864fb7a965fedeb1f45730a70840d8ae4475e2222529604e3a707
+  data.tar.gz: 90117e48ef4377412254102c08d95718c14b407c64be26b8bb0c62b4b349bfa2
 SHA512:
-  metadata.gz: 6f59af7600dc1f0e76566543cadf66b65f838c195d0a24c962043cf38cbbb190ee5be73daa968acbe332dd9490d9fadd89882e3a6d87f60c2f6f8ef1150f382d
-  data.tar.gz: 56baca1bd31275d8aa749890f0fe02d0e02b6d01df8c9596573efc3c269e6145bfaedbb813ae0aa03982dbc7ea2d35f9a84e58a9b3323304d78e70aab18b0947
+  metadata.gz: dded90c284f709ca41f859ffb832c243728e2d19d630a84c6ba960052e8004af3e90c292f307c8ab76d2f0578ae2259402c4b96ad3a73c7a7e48e9b72c23a919
+  data.tar.gz: bf2b97dc6ce9aafca32582f0e06b0245bf0741f897cfe1ebadf7369f1e7344604247803b396aedc6da37415594baacdce933cd22afba09abc61684884dafe135

data/CHANGELOG.md

@@ -1,6 +1,23 @@
 Unreleased Changes
 ------------------
 
+3.130.2 (2022-04-22)
+------------------
+
+* Issue - Don't pass `:before_refresh` to Client constructors in RefreshingCredential implementations (#2690).
+
+3.130.1 (2022-04-12)
+------------------
+
+* Issue - Don't call `refresh!` on non-refreshable `Credentials` when retrying errors (#2685).
+
+3.130.0 (2022-03-11)
+------------------
+
+* Feature - Asynchronously refresh AWS credentials (#2641).
+
+* Issue - Add x-amz-region-set to list of headers deleted for re-sign.
+
 3.129.1 (2022-03-10)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.129.1
+3.130.2

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -49,11 +49,12 @@ module Aws
       options.each_pair do |key, value|
         if self.class.assume_role_options.include?(key)
           @assume_role_params[key] = value
-        else
+        elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
           client_opts[key] = value
         end
       end
       @client = client_opts[:client] || STS::Client.new(client_opts)
+      @async_refresh = true
       super
     end
 

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -17,7 +17,7 @@ module Aws
   #       ...
   #     )
   #     For full list of parameters accepted
-  #     @see Aws::STS::Client#assume_role_with_web_identity 
+  #     @see Aws::STS::Client#assume_role_with_web_identity
   #
   #
   # If you omit `:client` option, a new {STS::Client} object will be
@@ -48,10 +48,11 @@ module Aws
       client_opts = {}
       @assume_role_web_identity_params = {}
       @token_file = options.delete(:web_identity_token_file)
+      @async_refresh = true
       options.each_pair do |key, value|
         if self.class.assume_role_web_identity_options.include?(key)
           @assume_role_web_identity_params[key] = value
-        else
+        elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
           client_opts[key] = value
         end
       end
@@ -99,11 +100,10 @@ module Aws
       # @api private
       def assume_role_web_identity_options
         @arwio ||= begin
-          input = STS::Client.api.operation(:assume_role_with_web_identity).input
+          input = Aws::STS::Client.api.operation(:assume_role_with_web_identity).input
           Set.new(input.shape.member_names)
         end
       end
-
     end
   end
 end

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -62,6 +62,7 @@ module Aws
       @http_read_timeout = options[:http_read_timeout] || 5
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
+      @async_refresh = false
       super
     end
 

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -79,6 +79,7 @@ module Aws
       @token_ttl = options[:token_ttl] || 21_600
       @token = nil
       @no_refresh_until = nil
+      @async_refresh = false
       super
     end
 

data/lib/aws-sdk-core/plugins/retry_errors.rb

@@ -313,12 +313,17 @@ a clock skew correction and retry requests with skewed client clocks.
 
         def retry_request(context, error)
           context.retries += 1
-          context.config.credentials.refresh! if error.expired_credentials?
+          context.config.credentials.refresh! if refresh_credentials?(context, error)
           context.http_request.body.rewind
           context.http_response.reset
           call(context)
         end
 
+        def refresh_credentials?(context, error)
+          error.expired_credentials? &&
+            context.config.credentials.respond_to?(:refresh!)
+        end
+
         def add_retry_headers(context)
           request_pairs = {
             'attempt' => context.retries,
@@ -383,7 +388,7 @@ a clock skew correction and retry requests with skewed client clocks.
         def retry_request(context, error)
           delay_retry(context)
           context.retries += 1
-          context.config.credentials.refresh! if error.expired_credentials?
+          context.config.credentials.refresh! if refresh_credentials?(context, error)
           context.http_request.body.rewind
           context.http_response.reset
           call(context)
@@ -399,6 +404,11 @@ a clock skew correction and retry requests with skewed client clocks.
             response_truncatable?(context)
         end
 
+        def refresh_credentials?(context, error)
+          error.expired_credentials? &&
+            context.config.credentials.respond_to?(:refresh!)
+        end
+
         def retry_limit(context)
           context.config.retry_limit
         end

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -98,6 +98,7 @@ module Aws
           req.headers.delete('Authorization')
           req.headers.delete('X-Amz-Security-Token')
           req.headers.delete('X-Amz-Date')
+          req.headers.delete('x-Amz-Region-Set')
 
           if context.config.respond_to?(:clock_skew) &&
              context.config.clock_skew &&

data/lib/aws-sdk-core/process_credentials.rb

@@ -27,6 +27,7 @@ module Aws
     def initialize(process)
       @process = process
       @credentials = credentials_from_process(@process)
+      @async_refresh = false
 
       super
     end
@@ -73,9 +74,9 @@ module Aws
       @credentials = credentials_from_process(@process)
     end
 
-    def near_expiration?
+    def near_expiration?(expiration_length)
       # are we within 5 minutes of expiration?
-      @expiration && (Time.now.to_i + 5 * 60) > @expiration.to_i
+      @expiration && (Time.now.to_i + expiration_length) > @expiration.to_i
     end
   end
 end

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -17,6 +17,11 @@ module Aws
   # @api private
   module RefreshingCredentials
 
+    SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
+    ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
+
+    CLIENT_EXCLUDE_OPTIONS = Set.new([:before_refresh]).freeze
+
     def initialize(options = {})
       @mutex = Mutex.new
       @before_refresh = options.delete(:before_refresh) if Hash === options
@@ -27,13 +32,13 @@ module Aws
 
     # @return [Credentials]
     def credentials
-      refresh_if_near_expiration
+      refresh_if_near_expiration!
       @credentials
     end
 
     # @return [Time,nil]
     def expiration
-      refresh_if_near_expiration
+      refresh_if_near_expiration!
       @expiration
     end
 
@@ -49,24 +54,39 @@ module Aws
 
     private
 
-    # Refreshes instance metadata credentials if they are within
-    # 5 minutes of expiration.
-    def refresh_if_near_expiration
-      if near_expiration?
+    # Refreshes credentials asynchronously and synchronously.
+    # If we are near to expiration, block while getting new credentials.
+    # Otherwise, if we're approaching expiration, use the existing credentials
+    # but attempt a refresh in the background.
+    def refresh_if_near_expiration!
+      # Note: This check is an optimization. Rather than acquire the mutex on every #refresh_if_near_expiration
+      # call, we check before doing so, and then we check within the mutex to avoid a race condition.
+      # See issue: https://github.com/aws/aws-sdk-ruby/issues/2641 for more info.
+      if near_expiration?(SYNC_EXPIRATION_LENGTH)
         @mutex.synchronize do
-          if near_expiration?
+          if near_expiration?(SYNC_EXPIRATION_LENGTH)
             @before_refresh.call(self) if @before_refresh
-
             refresh
           end
         end
+      elsif @async_refresh && near_expiration?(ASYNC_EXPIRATION_LENGTH)
+        unless @mutex.locked?
+          Thread.new do
+            @mutex.synchronize do
+              if near_expiration?(ASYNC_EXPIRATION_LENGTH)
+                @before_refresh.call(self) if @before_refresh
+                refresh
+              end
+            end
+          end
+        end
       end
     end
 
-    def near_expiration?
+    def near_expiration?(expiration_length)
       if @expiration
-        # are we within 5 minutes of expiration?
-        (Time.now.to_i + 5 * 60) > @expiration.to_i
+        # Are we within expiration?
+        (Time.now.to_i + expiration_length) > @expiration.to_i
       else
         true
       end

data/lib/aws-sdk-core/sso_credentials.rb

@@ -83,9 +83,14 @@ module Aws
       # validate we can read the token file
       read_cached_token
 
-      options[:region] = @sso_region
-      options[:credentials] = nil
-      @client = options[:client] || Aws::SSO::Client.new(options)
+
+      client_opts = {}
+      options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+      client_opts[:region] = @sso_region
+      client_opts[:credentials] = nil
+
+      @client = options[:client] || Aws::SSO::Client.new(client_opts)
+      @async_refresh = true
       super
     end
 

data/lib/aws-sdk-sso/client.rb

@@ -545,7 +545,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.129.1'
+      context[:gem_version] = '3.130.2'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.129.1'
+  GEM_VERSION = '3.130.2'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -2290,7 +2290,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.129.1'
+      context[:gem_version] = '3.130.2'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.129.1'
+  GEM_VERSION = '3.130.2'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.129.1
+  version: 3.130.2
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-03-10 00:00:00.000000000 Z
+date: 2022-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath