aws-sdk-core 3.130.0 → 3.131.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +15 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/assume_role_credentials.rb +6 -11
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +8 -10
- data/lib/aws-sdk-core/ecs_credentials.rb +5 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +5 -0
- data/lib/aws-sdk-core/plugins/retry_errors.rb +12 -2
- data/lib/aws-sdk-core/process_credentials.rb +6 -9
- data/lib/aws-sdk-core/refreshing_credentials.rb +2 -0
- data/lib/aws-sdk-core/sso_credentials.rb +15 -15
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +14 -5
- data/lib/aws-sdk-sts.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 323807bf1dabe23c4f52cd7358e91b4a66ed831b45b75ca04d4bac31083e6fbe
|
|
4
|
+
data.tar.gz: 66ed5dc3c5757ed294d4752c0e00ce6c634fb1ec1b7d7b9bc1e9cf3f11738581
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9ff2bcc885f1ff44ea1ce94e5c8bfbb14f15c1e8bd3e558d84e05651c0aa7b7643f5bc10e183650a8f39f51c4cbd2277ab76e96a4b29859893cc7cb3d23285b3
|
|
7
|
+
data.tar.gz: 6416bdfffb8d6279459d6824bb09a34c881f32cc07e092a15fd38a4c0244a98317758cda6e527cb71dd311bce1996a87a99535a6df7b3e798e215c0394c9e174
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,21 @@
|
|
|
1
1
|
Unreleased Changes
|
|
2
2
|
------------------
|
|
3
3
|
|
|
4
|
+
3.131.0 (2022-05-16)
|
|
5
|
+
------------------
|
|
6
|
+
|
|
7
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
|
8
|
+
|
|
9
|
+
3.130.2 (2022-04-22)
|
|
10
|
+
------------------
|
|
11
|
+
|
|
12
|
+
* Issue - Don't pass `:before_refresh` to Client constructors in RefreshingCredential implementations (#2690).
|
|
13
|
+
|
|
14
|
+
3.130.1 (2022-04-12)
|
|
15
|
+
------------------
|
|
16
|
+
|
|
17
|
+
* Issue - Don't call `refresh!` on non-refreshable `Credentials` when retrying errors (#2685).
|
|
18
|
+
|
|
4
19
|
3.130.0 (2022-03-11)
|
|
5
20
|
------------------
|
|
6
21
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
3.
|
|
1
|
+
3.131.0
|
|
@@ -3,25 +3,20 @@
|
|
|
3
3
|
require 'set'
|
|
4
4
|
|
|
5
5
|
module Aws
|
|
6
|
-
|
|
7
|
-
#
|
|
8
|
-
# a role via {Aws::STS::Client#assume_role}.
|
|
6
|
+
# An auto-refreshing credential provider that assumes a role via
|
|
7
|
+
# {Aws::STS::Client#assume_role}.
|
|
9
8
|
#
|
|
10
9
|
# role_credentials = Aws::AssumeRoleCredentials.new(
|
|
11
10
|
# client: Aws::STS::Client.new(...),
|
|
12
11
|
# role_arn: "linked::account::arn",
|
|
13
12
|
# role_session_name: "session-name"
|
|
14
13
|
# )
|
|
15
|
-
#
|
|
16
14
|
# ec2 = Aws::EC2::Client.new(credentials: role_credentials)
|
|
17
15
|
#
|
|
18
|
-
# If you omit `:client` option, a new {STS::Client} object will be
|
|
19
|
-
# constructed.
|
|
16
|
+
# If you omit `:client` option, a new {Aws::STS::Client} object will be
|
|
17
|
+
# constructed with additional options that were provided.
|
|
20
18
|
#
|
|
21
|
-
#
|
|
22
|
-
# that can be used to help manage refreshing tokens.
|
|
23
|
-
# `before_refresh` is called when AWS credentials are required and need
|
|
24
|
-
# to be refreshed and it is called with the AssumeRoleCredentials object.
|
|
19
|
+
# @see Aws::STS::Client#assume_role
|
|
25
20
|
class AssumeRoleCredentials
|
|
26
21
|
|
|
27
22
|
include CredentialProvider
|
|
@@ -49,7 +44,7 @@ module Aws
|
|
|
49
44
|
options.each_pair do |key, value|
|
|
50
45
|
if self.class.assume_role_options.include?(key)
|
|
51
46
|
@assume_role_params[key] = value
|
|
52
|
-
|
|
47
|
+
elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
|
|
53
48
|
client_opts[key] = value
|
|
54
49
|
end
|
|
55
50
|
end
|
|
@@ -5,9 +5,8 @@ require 'securerandom'
|
|
|
5
5
|
require 'base64'
|
|
6
6
|
|
|
7
7
|
module Aws
|
|
8
|
-
|
|
9
|
-
#
|
|
10
|
-
# a role via {Aws::STS::Client#assume_role_with_web_identity}.
|
|
8
|
+
# An auto-refreshing credential provider that assumes a role via
|
|
9
|
+
# {Aws::STS::Client#assume_role_with_web_identity}.
|
|
11
10
|
#
|
|
12
11
|
# role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
|
|
13
12
|
# client: Aws::STS::Client.new(...),
|
|
@@ -16,12 +15,12 @@ module Aws
|
|
|
16
15
|
# role_session_name: "session-name"
|
|
17
16
|
# ...
|
|
18
17
|
# )
|
|
19
|
-
#
|
|
20
|
-
# @see Aws::STS::Client#assume_role_with_web_identity
|
|
18
|
+
# ec2 = Aws::EC2::Client.new(credentials: role_credentials)
|
|
21
19
|
#
|
|
20
|
+
# If you omit `:client` option, a new {Aws::STS::Client} object will be
|
|
21
|
+
# constructed with additional options that were provided.
|
|
22
22
|
#
|
|
23
|
-
#
|
|
24
|
-
# constructed.
|
|
23
|
+
# @see Aws::STS::Client#assume_role_with_web_identity
|
|
25
24
|
class AssumeRoleWebIdentityCredentials
|
|
26
25
|
|
|
27
26
|
include CredentialProvider
|
|
@@ -52,7 +51,7 @@ module Aws
|
|
|
52
51
|
options.each_pair do |key, value|
|
|
53
52
|
if self.class.assume_role_web_identity_options.include?(key)
|
|
54
53
|
@assume_role_web_identity_params[key] = value
|
|
55
|
-
|
|
54
|
+
elsif !CLIENT_EXCLUDE_OPTIONS.include?(key)
|
|
56
55
|
client_opts[key] = value
|
|
57
56
|
end
|
|
58
57
|
end
|
|
@@ -100,11 +99,10 @@ module Aws
|
|
|
100
99
|
# @api private
|
|
101
100
|
def assume_role_web_identity_options
|
|
102
101
|
@arwio ||= begin
|
|
103
|
-
input = STS::Client.api.operation(:assume_role_with_web_identity).input
|
|
102
|
+
input = Aws::STS::Client.api.operation(:assume_role_with_web_identity).input
|
|
104
103
|
Set.new(input.shape.member_names)
|
|
105
104
|
end
|
|
106
105
|
end
|
|
107
|
-
|
|
108
106
|
end
|
|
109
107
|
end
|
|
110
108
|
end
|
|
@@ -4,6 +4,11 @@ require 'time'
|
|
|
4
4
|
require 'net/http'
|
|
5
5
|
|
|
6
6
|
module Aws
|
|
7
|
+
# An auto-refreshing credential provider that loads credentials from
|
|
8
|
+
# instances running in ECS.
|
|
9
|
+
#
|
|
10
|
+
# ecs_credentials = Aws::ECSCredentials.new(retries: 3)
|
|
11
|
+
# ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
|
|
7
12
|
class ECSCredentials
|
|
8
13
|
|
|
9
14
|
include CredentialProvider
|
|
@@ -4,6 +4,11 @@ require 'time'
|
|
|
4
4
|
require 'net/http'
|
|
5
5
|
|
|
6
6
|
module Aws
|
|
7
|
+
# An auto-refreshing credential provider that loads credentials from
|
|
8
|
+
# EC2 instances.
|
|
9
|
+
#
|
|
10
|
+
# instance_credentials = Aws::InstanceProfileCredentials.new
|
|
11
|
+
# ec2 = Aws::EC2::Client.new(credentials: instance_credentials)
|
|
7
12
|
class InstanceProfileCredentials
|
|
8
13
|
include CredentialProvider
|
|
9
14
|
include RefreshingCredentials
|
|
@@ -313,12 +313,17 @@ a clock skew correction and retry requests with skewed client clocks.
|
|
|
313
313
|
|
|
314
314
|
def retry_request(context, error)
|
|
315
315
|
context.retries += 1
|
|
316
|
-
context.config.credentials.refresh! if error
|
|
316
|
+
context.config.credentials.refresh! if refresh_credentials?(context, error)
|
|
317
317
|
context.http_request.body.rewind
|
|
318
318
|
context.http_response.reset
|
|
319
319
|
call(context)
|
|
320
320
|
end
|
|
321
321
|
|
|
322
|
+
def refresh_credentials?(context, error)
|
|
323
|
+
error.expired_credentials? &&
|
|
324
|
+
context.config.credentials.respond_to?(:refresh!)
|
|
325
|
+
end
|
|
326
|
+
|
|
322
327
|
def add_retry_headers(context)
|
|
323
328
|
request_pairs = {
|
|
324
329
|
'attempt' => context.retries,
|
|
@@ -383,7 +388,7 @@ a clock skew correction and retry requests with skewed client clocks.
|
|
|
383
388
|
def retry_request(context, error)
|
|
384
389
|
delay_retry(context)
|
|
385
390
|
context.retries += 1
|
|
386
|
-
context.config.credentials.refresh! if error
|
|
391
|
+
context.config.credentials.refresh! if refresh_credentials?(context, error)
|
|
387
392
|
context.http_request.body.rewind
|
|
388
393
|
context.http_response.reset
|
|
389
394
|
call(context)
|
|
@@ -399,6 +404,11 @@ a clock skew correction and retry requests with skewed client clocks.
|
|
|
399
404
|
response_truncatable?(context)
|
|
400
405
|
end
|
|
401
406
|
|
|
407
|
+
def refresh_credentials?(context, error)
|
|
408
|
+
error.expired_credentials? &&
|
|
409
|
+
context.config.credentials.respond_to?(:refresh!)
|
|
410
|
+
end
|
|
411
|
+
|
|
402
412
|
def retry_limit(context)
|
|
403
413
|
context.config.retry_limit
|
|
404
414
|
end
|
|
@@ -1,19 +1,16 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
module Aws
|
|
4
|
-
|
|
5
4
|
# A credential provider that executes a given process and attempts
|
|
6
|
-
# to read its stdout to recieve a JSON payload containing the credentials
|
|
7
|
-
#
|
|
8
|
-
# Automatically handles refreshing credentials if an Expiration time is
|
|
9
|
-
# provided in the credentials payload
|
|
10
|
-
#
|
|
11
|
-
# credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc').credentials
|
|
5
|
+
# to read its stdout to recieve a JSON payload containing the credentials.
|
|
12
6
|
#
|
|
7
|
+
# credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc')
|
|
13
8
|
# ec2 = Aws::EC2::Client.new(credentials: credentials)
|
|
14
9
|
#
|
|
15
|
-
#
|
|
16
|
-
#
|
|
10
|
+
# Automatically handles refreshing credentials if an Expiration time is
|
|
11
|
+
# provided in the credentials payload.
|
|
12
|
+
#
|
|
13
|
+
# @see https://docs.aws.amazon.com/cli/latest/topic/config-vars.html#sourcing-credentials-from-external-processes
|
|
17
14
|
class ProcessCredentials
|
|
18
15
|
|
|
19
16
|
include CredentialProvider
|
|
@@ -20,6 +20,8 @@ module Aws
|
|
|
20
20
|
SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
|
|
21
21
|
ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
|
|
22
22
|
|
|
23
|
+
CLIENT_EXCLUDE_OPTIONS = Set.new([:before_refresh]).freeze
|
|
24
|
+
|
|
23
25
|
def initialize(options = {})
|
|
24
26
|
@mutex = Mutex.new
|
|
25
27
|
@before_refresh = options.delete(:before_refresh) if Hash === options
|
|
@@ -1,17 +1,12 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
module Aws
|
|
4
|
-
# An auto-refreshing credential provider that
|
|
5
|
-
#
|
|
6
|
-
# token.
|
|
4
|
+
# An auto-refreshing credential provider that assumes a role via
|
|
5
|
+
# {Aws::SSO::Client#get_role_credentials} using a cached access
|
|
6
|
+
# token. This class does NOT implement the SSO login token flow - tokens
|
|
7
7
|
# must generated and refreshed separately by running `aws login` from the
|
|
8
8
|
# AWS CLI with the correct profile.
|
|
9
9
|
#
|
|
10
|
-
# For more background on AWS SSO see the official
|
|
11
|
-
# {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
|
|
12
|
-
#
|
|
13
|
-
# ## Refreshing Credentials from SSO
|
|
14
|
-
#
|
|
15
10
|
# The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
|
|
16
11
|
# addition to AWS credentials expiring after a given amount of time, the
|
|
17
12
|
# access token generated and cached from `aws login` will also expire.
|
|
@@ -20,7 +15,6 @@ module Aws
|
|
|
20
15
|
# the token value, but this can be done by running `aws login` with the
|
|
21
16
|
# correct profile.
|
|
22
17
|
#
|
|
23
|
-
#
|
|
24
18
|
# # You must first run aws sso login --profile your-sso-profile
|
|
25
19
|
# sso_credentials = Aws::SSOCredentials.new(
|
|
26
20
|
# sso_account_id: '123456789',
|
|
@@ -28,11 +22,13 @@ module Aws
|
|
|
28
22
|
# sso_region: "us-east-1",
|
|
29
23
|
# sso_start_url: 'https://your-start-url.awsapps.com/start'
|
|
30
24
|
# )
|
|
31
|
-
#
|
|
32
25
|
# ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
|
|
33
26
|
#
|
|
34
|
-
# If you omit `:client` option, a new {SSO::Client} object will be
|
|
35
|
-
# constructed.
|
|
27
|
+
# If you omit `:client` option, a new {Aws::SSO::Client} object will be
|
|
28
|
+
# constructed with additional options that were provided.
|
|
29
|
+
#
|
|
30
|
+
# @see Aws::SSO::Client#get_role_credentials
|
|
31
|
+
# @see https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html
|
|
36
32
|
class SSOCredentials
|
|
37
33
|
|
|
38
34
|
include CredentialProvider
|
|
@@ -83,9 +79,13 @@ module Aws
|
|
|
83
79
|
# validate we can read the token file
|
|
84
80
|
read_cached_token
|
|
85
81
|
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
82
|
+
|
|
83
|
+
client_opts = {}
|
|
84
|
+
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
|
85
|
+
client_opts[:region] = @sso_region
|
|
86
|
+
client_opts[:credentials] = nil
|
|
87
|
+
|
|
88
|
+
@client = options[:client] || Aws::SSO::Client.new(client_opts)
|
|
89
89
|
@async_refresh = true
|
|
90
90
|
super
|
|
91
91
|
end
|
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
|
@@ -2145,6 +2145,14 @@ module Aws::STS
|
|
|
2145
2145
|
# Credentials][1] and [Comparing the Amazon Web Services STS API
|
|
2146
2146
|
# operations][2] in the *IAM User Guide*.
|
|
2147
2147
|
#
|
|
2148
|
+
# <note markdown="1"> No permissions are required for users to perform this operation. The
|
|
2149
|
+
# purpose of the `sts:GetSessionToken` operation is to authenticate the
|
|
2150
|
+
# user using MFA. You cannot use policies to control authentication
|
|
2151
|
+
# operations. For more information, see [Permissions for
|
|
2152
|
+
# GetSessionToken][3] in the *IAM User Guide*.
|
|
2153
|
+
#
|
|
2154
|
+
# </note>
|
|
2155
|
+
#
|
|
2148
2156
|
# **Session Duration**
|
|
2149
2157
|
#
|
|
2150
2158
|
# The `GetSessionToken` operation must be called by using the long-term
|
|
@@ -2170,7 +2178,7 @@ module Aws::STS
|
|
|
2170
2178
|
#
|
|
2171
2179
|
# <note markdown="1"> We recommend that you do not call `GetSessionToken` with Amazon Web
|
|
2172
2180
|
# Services account root user credentials. Instead, follow our [best
|
|
2173
|
-
# practices][
|
|
2181
|
+
# practices][4] by creating one or more IAM users, giving them the
|
|
2174
2182
|
# necessary permissions, and using IAM users for everyday interaction
|
|
2175
2183
|
# with Amazon Web Services.
|
|
2176
2184
|
#
|
|
@@ -2186,14 +2194,15 @@ module Aws::STS
|
|
|
2186
2194
|
#
|
|
2187
2195
|
# For more information about using `GetSessionToken` to create temporary
|
|
2188
2196
|
# credentials, go to [Temporary Credentials for Users in Untrusted
|
|
2189
|
-
# Environments][
|
|
2197
|
+
# Environments][5] in the *IAM User Guide*.
|
|
2190
2198
|
#
|
|
2191
2199
|
#
|
|
2192
2200
|
#
|
|
2193
2201
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
2194
2202
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
2195
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
2196
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
|
2203
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
|
|
2204
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
|
|
2205
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
|
2197
2206
|
#
|
|
2198
2207
|
# @option params [Integer] :duration_seconds
|
|
2199
2208
|
# The duration, in seconds, that the credentials should remain valid.
|
|
@@ -2290,7 +2299,7 @@ module Aws::STS
|
|
|
2290
2299
|
params: params,
|
|
2291
2300
|
config: config)
|
|
2292
2301
|
context[:gem_name] = 'aws-sdk-core'
|
|
2293
|
-
context[:gem_version] = '3.
|
|
2302
|
+
context[:gem_version] = '3.131.0'
|
|
2294
2303
|
Seahorse::Client::Request.new(handlers, context)
|
|
2295
2304
|
end
|
|
2296
2305
|
|
data/lib/aws-sdk-sts.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sdk-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.131.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-
|
|
11
|
+
date: 2022-05-16 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jmespath
|