aws-sdk-core 3.131.3 → 3.176.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +330 -1
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +4 -4
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/binary/encode_handler.rb +12 -1
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +8 -5
- data/lib/aws-sdk-core/ecs_credentials.rb +111 -53
- data/lib/aws-sdk-core/endpoints/condition.rb +41 -0
- data/lib/aws-sdk-core/endpoints/endpoint.rb +17 -0
- data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +75 -0
- data/lib/aws-sdk-core/endpoints/error_rule.rb +42 -0
- data/lib/aws-sdk-core/endpoints/function.rb +80 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +127 -0
- data/lib/aws-sdk-core/endpoints/reference.rb +31 -0
- data/lib/aws-sdk-core/endpoints/rule.rb +25 -0
- data/lib/aws-sdk-core/endpoints/rule_set.rb +52 -0
- data/lib/aws-sdk-core/endpoints/rules_provider.rb +37 -0
- data/lib/aws-sdk-core/endpoints/templater.rb +58 -0
- data/lib/aws-sdk-core/endpoints/tree_rule.rb +45 -0
- data/lib/aws-sdk-core/endpoints/url.rb +60 -0
- data/lib/aws-sdk-core/endpoints.rb +78 -0
- data/lib/aws-sdk-core/errors.rb +13 -0
- data/lib/aws-sdk-core/json/error_handler.rb +20 -1
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/pageable_response.rb +10 -1
- data/lib/aws-sdk-core/plugins/bearer_authorization.rb +67 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +1 -1
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +24 -0
- data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +6 -2
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +14 -3
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +5 -0
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +2 -1
- data/lib/aws-sdk-core/plugins/sign.rb +201 -0
- data/lib/aws-sdk-core/plugins/signature_v2.rb +1 -0
- data/lib/aws-sdk-core/plugins/signature_v4.rb +13 -7
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/refreshing_credentials.rb +0 -6
- data/lib/aws-sdk-core/refreshing_token.rb +71 -0
- data/lib/aws-sdk-core/rest/request/headers.rb +2 -6
- data/lib/aws-sdk-core/shared_config.rb +78 -6
- data/lib/aws-sdk-core/sso_credentials.rb +80 -45
- data/lib/aws-sdk-core/sso_token_provider.rb +135 -0
- data/lib/aws-sdk-core/static_token_provider.rb +14 -0
- data/lib/aws-sdk-core/structure.rb +6 -4
- data/lib/aws-sdk-core/token.rb +31 -0
- data/lib/aws-sdk-core/token_provider.rb +15 -0
- data/lib/aws-sdk-core/token_provider_chain.rb +51 -0
- data/lib/aws-sdk-core/waiters/poller.rb +3 -1
- data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
- data/lib/aws-sdk-core.rb +14 -0
- data/lib/aws-sdk-sso/client.rb +56 -11
- data/lib/aws-sdk-sso/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-sso/endpoint_provider.rb +51 -0
- data/lib/aws-sdk-sso/endpoints.rb +72 -0
- data/lib/aws-sdk-sso/plugins/endpoints.rb +76 -0
- data/lib/aws-sdk-sso/types.rb +8 -43
- data/lib/aws-sdk-sso.rb +5 -1
- data/lib/aws-sdk-ssooidc/client.rb +611 -0
- data/lib/aws-sdk-ssooidc/client_api.rb +216 -0
- data/lib/aws-sdk-ssooidc/customizations.rb +1 -0
- data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +51 -0
- data/lib/aws-sdk-ssooidc/endpoints.rb +58 -0
- data/lib/aws-sdk-ssooidc/errors.rb +290 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +74 -0
- data/lib/aws-sdk-ssooidc/resource.rb +26 -0
- data/lib/aws-sdk-ssooidc/types.rb +502 -0
- data/lib/aws-sdk-ssooidc.rb +59 -0
- data/lib/aws-sdk-sts/client.rb +263 -243
- data/lib/aws-sdk-sts/endpoint_parameters.rb +78 -0
- data/lib/aws-sdk-sts/endpoint_provider.rb +112 -0
- data/lib/aws-sdk-sts/endpoints.rb +136 -0
- data/lib/aws-sdk-sts/plugins/endpoints.rb +84 -0
- data/lib/aws-sdk-sts/presigner.rb +13 -15
- data/lib/aws-sdk-sts/types.rb +87 -195
- data/lib/aws-sdk-sts.rb +5 -1
- data/lib/seahorse/client/async_base.rb +0 -1
- data/lib/seahorse/client/configuration.rb +2 -2
- data/lib/seahorse/client/h2/connection.rb +12 -11
- data/lib/seahorse/client/plugins/request_callback.rb +9 -9
- data/lib/seahorse/util.rb +4 -0
- metadata +47 -6
|
@@ -3,24 +3,19 @@
|
|
|
3
3
|
module Aws
|
|
4
4
|
# An auto-refreshing credential provider that assumes a role via
|
|
5
5
|
# {Aws::SSO::Client#get_role_credentials} using a cached access
|
|
6
|
-
# token.
|
|
7
|
-
#
|
|
8
|
-
#
|
|
9
|
-
#
|
|
10
|
-
#
|
|
11
|
-
#
|
|
12
|
-
# access token generated and cached from `aws login` will also expire.
|
|
13
|
-
# Once this token expires, it will not be usable to refresh AWS credentials,
|
|
14
|
-
# and another token will be needed. The SDK does not manage refreshing of
|
|
15
|
-
# the token value, but this can be done by running `aws login` with the
|
|
16
|
-
# correct profile.
|
|
6
|
+
# token. When `sso_session` is specified, token refresh logic from
|
|
7
|
+
# {Aws::SSOTokenProvider} will be used to refresh the token if possible.
|
|
8
|
+
# This class does NOT implement the SSO login token flow - tokens
|
|
9
|
+
# must generated separately by running `aws login` from the
|
|
10
|
+
# AWS CLI with the correct profile. The `SSOCredentials` will
|
|
11
|
+
# auto-refresh the AWS credentials from SSO.
|
|
17
12
|
#
|
|
18
13
|
# # You must first run aws sso login --profile your-sso-profile
|
|
19
14
|
# sso_credentials = Aws::SSOCredentials.new(
|
|
20
15
|
# sso_account_id: '123456789',
|
|
21
16
|
# sso_role_name: "role_name",
|
|
22
17
|
# sso_region: "us-east-1",
|
|
23
|
-
#
|
|
18
|
+
# sso_session: 'my_sso_session'
|
|
24
19
|
# )
|
|
25
20
|
# ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
|
|
26
21
|
#
|
|
@@ -35,7 +30,8 @@ module Aws
|
|
|
35
30
|
include RefreshingCredentials
|
|
36
31
|
|
|
37
32
|
# @api private
|
|
38
|
-
|
|
33
|
+
LEGACY_REQUIRED_OPTS = [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
|
|
34
|
+
TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
|
|
39
35
|
|
|
40
36
|
# @api private
|
|
41
37
|
SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
|
|
@@ -45,17 +41,23 @@ module Aws
|
|
|
45
41
|
# @option options [required, String] :sso_account_id The AWS account ID
|
|
46
42
|
# that temporary AWS credentials will be resolved for
|
|
47
43
|
#
|
|
48
|
-
# @option options [required, String] :sso_region The AWS region where the
|
|
49
|
-
# SSO directory for the given sso_start_url is hosted.
|
|
50
|
-
#
|
|
51
44
|
# @option options [required, String] :sso_role_name The corresponding
|
|
52
45
|
# IAM role in the AWS account that temporary AWS credentials
|
|
53
46
|
# will be resolved for.
|
|
54
47
|
#
|
|
55
|
-
# @option options [required, String] :
|
|
56
|
-
#
|
|
48
|
+
# @option options [required, String] :sso_region The AWS region where the
|
|
49
|
+
# SSO directory for the given sso_start_url is hosted.
|
|
50
|
+
#
|
|
51
|
+
# @option options [String] :sso_session The SSO Token used for fetching
|
|
52
|
+
# the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
|
|
53
|
+
# will be used.
|
|
54
|
+
#
|
|
55
|
+
# @option options [String] :sso_start_url (legacy profiles) If provided,
|
|
56
|
+
# legacy token fetch behavior will be used, which does not support
|
|
57
|
+
# token refreshing. The start URL is provided by the SSO
|
|
58
|
+
# service via the console and is the URL used to
|
|
57
59
|
# login to the SSO directory. This is also sometimes referred to as
|
|
58
|
-
# the "User Portal URL"
|
|
60
|
+
# the "User Portal URL".
|
|
59
61
|
#
|
|
60
62
|
# @option options [SSO::Client] :client Optional `SSO::Client`. If not
|
|
61
63
|
# provided, a client will be constructed.
|
|
@@ -65,27 +67,52 @@ module Aws
|
|
|
65
67
|
# with an instance of this object when
|
|
66
68
|
# AWS credentials are required and need to be refreshed.
|
|
67
69
|
def initialize(options = {})
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
70
|
+
options = options.select {|k, v| !v.nil? }
|
|
71
|
+
if (options[:sso_session])
|
|
72
|
+
missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
|
|
73
|
+
unless missing_keys.empty?
|
|
74
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
|
75
|
+
end
|
|
76
|
+
@legacy = false
|
|
77
|
+
@sso_role_name = options.delete(:sso_role_name)
|
|
78
|
+
@sso_account_id = options.delete(:sso_account_id)
|
|
79
|
+
|
|
80
|
+
# if client has been passed, don't pass through to SSOTokenProvider
|
|
81
|
+
@client = options.delete(:client)
|
|
82
|
+
options.delete(:sso_start_url)
|
|
83
|
+
@token_provider = Aws::SSOTokenProvider.new(options.dup)
|
|
84
|
+
@sso_session = options.delete(:sso_session)
|
|
85
|
+
@sso_region = options.delete(:sso_region)
|
|
86
|
+
|
|
87
|
+
unless @client
|
|
88
|
+
client_opts = {}
|
|
89
|
+
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
|
90
|
+
client_opts[:region] = @sso_region
|
|
91
|
+
client_opts[:credentials] = nil
|
|
92
|
+
@client = Aws::SSO::Client.new(client_opts)
|
|
93
|
+
end
|
|
94
|
+
else # legacy behavior
|
|
95
|
+
missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
|
|
96
|
+
unless missing_keys.empty?
|
|
97
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
|
98
|
+
end
|
|
99
|
+
@legacy = true
|
|
100
|
+
@sso_start_url = options.delete(:sso_start_url)
|
|
101
|
+
@sso_region = options.delete(:sso_region)
|
|
102
|
+
@sso_role_name = options.delete(:sso_role_name)
|
|
103
|
+
@sso_account_id = options.delete(:sso_account_id)
|
|
104
|
+
|
|
105
|
+
# validate we can read the token file
|
|
106
|
+
read_cached_token
|
|
107
|
+
|
|
108
|
+
client_opts = {}
|
|
109
|
+
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
|
110
|
+
client_opts[:region] = @sso_region
|
|
111
|
+
client_opts[:credentials] = nil
|
|
112
|
+
|
|
113
|
+
@client = options[:client] || Aws::SSO::Client.new(client_opts)
|
|
72
114
|
end
|
|
73
115
|
|
|
74
|
-
@sso_start_url = options.delete(:sso_start_url)
|
|
75
|
-
@sso_region = options.delete(:sso_region)
|
|
76
|
-
@sso_role_name = options.delete(:sso_role_name)
|
|
77
|
-
@sso_account_id = options.delete(:sso_account_id)
|
|
78
|
-
|
|
79
|
-
# validate we can read the token file
|
|
80
|
-
read_cached_token
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
client_opts = {}
|
|
84
|
-
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
|
85
|
-
client_opts[:region] = @sso_region
|
|
86
|
-
client_opts[:credentials] = nil
|
|
87
|
-
|
|
88
|
-
@client = options[:client] || Aws::SSO::Client.new(client_opts)
|
|
89
116
|
@async_refresh = true
|
|
90
117
|
super
|
|
91
118
|
end
|
|
@@ -111,19 +138,27 @@ module Aws
|
|
|
111
138
|
end
|
|
112
139
|
|
|
113
140
|
def refresh
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
141
|
+
c = if @legacy
|
|
142
|
+
cached_token = read_cached_token
|
|
143
|
+
@client.get_role_credentials(
|
|
144
|
+
account_id: @sso_account_id,
|
|
145
|
+
role_name: @sso_role_name,
|
|
146
|
+
access_token: cached_token['accessToken']
|
|
147
|
+
).role_credentials
|
|
148
|
+
else
|
|
149
|
+
@client.get_role_credentials(
|
|
150
|
+
account_id: @sso_account_id,
|
|
151
|
+
role_name: @sso_role_name,
|
|
152
|
+
access_token: @token_provider.token.token
|
|
153
|
+
).role_credentials
|
|
154
|
+
end
|
|
120
155
|
|
|
121
156
|
@credentials = Credentials.new(
|
|
122
157
|
c.access_key_id,
|
|
123
158
|
c.secret_access_key,
|
|
124
159
|
c.session_token
|
|
125
160
|
)
|
|
126
|
-
@expiration = c.expiration
|
|
161
|
+
@expiration = Time.at(c.expiration / 1000.0)
|
|
127
162
|
end
|
|
128
163
|
|
|
129
164
|
def sso_cache_file
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Aws
|
|
4
|
+
class SSOTokenProvider
|
|
5
|
+
|
|
6
|
+
include TokenProvider
|
|
7
|
+
include RefreshingToken
|
|
8
|
+
|
|
9
|
+
# @api private
|
|
10
|
+
SSO_REQUIRED_OPTS = [:sso_region, :sso_session].freeze
|
|
11
|
+
|
|
12
|
+
# @api private
|
|
13
|
+
SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
|
|
14
|
+
'expired or is otherwise invalid. To refresh this SSO session run '\
|
|
15
|
+
'aws sso login with the corresponding profile.'.freeze
|
|
16
|
+
|
|
17
|
+
# @option options [required, String] :sso_region The AWS region where the
|
|
18
|
+
# SSO directory for the given sso_start_url is hosted.
|
|
19
|
+
#
|
|
20
|
+
# @option options [required, String] :sso_session The SSO Session used to
|
|
21
|
+
# for fetching this token.
|
|
22
|
+
#
|
|
23
|
+
# @option options [SSOOIDC::Client] :client Optional `SSOOIDC::Client`. If not
|
|
24
|
+
# provided, a client will be constructed.
|
|
25
|
+
#
|
|
26
|
+
# @option options [Callable] before_refresh Proc called before
|
|
27
|
+
# credentials are refreshed. `before_refresh` is called
|
|
28
|
+
# with an instance of this object when
|
|
29
|
+
# AWS credentials are required and need to be refreshed.
|
|
30
|
+
def initialize(options = {})
|
|
31
|
+
|
|
32
|
+
missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
|
|
33
|
+
unless missing_keys.empty?
|
|
34
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
@sso_session = options.delete(:sso_session)
|
|
38
|
+
@sso_region = options.delete(:sso_region)
|
|
39
|
+
|
|
40
|
+
options[:region] = @sso_region
|
|
41
|
+
options[:credentials] = nil
|
|
42
|
+
options[:token_provider] = nil
|
|
43
|
+
@client = options[:client] || Aws::SSOOIDC::Client.new(options)
|
|
44
|
+
|
|
45
|
+
super
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
# @return [SSOOIDC::Client]
|
|
49
|
+
attr_reader :client
|
|
50
|
+
|
|
51
|
+
private
|
|
52
|
+
|
|
53
|
+
def refresh
|
|
54
|
+
# token is valid and not in refresh window - do not refresh it.
|
|
55
|
+
return if @token && @token.expiration && !near_expiration?
|
|
56
|
+
|
|
57
|
+
# token may not exist or is out of the expiration window
|
|
58
|
+
# attempt to refresh from disk first (another process/application may have refreshed already)
|
|
59
|
+
token_json = read_cached_token
|
|
60
|
+
@token = Token.new(token_json['accessToken'], token_json['expiresAt'])
|
|
61
|
+
return if @token && @token.expiration && !near_expiration?
|
|
62
|
+
|
|
63
|
+
# The token is expired and needs to be refreshed
|
|
64
|
+
if can_refresh_token?(token_json)
|
|
65
|
+
begin
|
|
66
|
+
current_time = Time.now
|
|
67
|
+
resp = @client.create_token(
|
|
68
|
+
grant_type: 'refresh_token',
|
|
69
|
+
client_id: token_json['clientId'],
|
|
70
|
+
client_secret: token_json['clientSecret'],
|
|
71
|
+
refresh_token: token_json['refreshToken']
|
|
72
|
+
)
|
|
73
|
+
token_json['accessToken'] = resp.access_token
|
|
74
|
+
token_json['expiresAt'] = current_time + resp.expires_in
|
|
75
|
+
@token = Token.new(token_json['accessToken'], token_json['expiresAt'])
|
|
76
|
+
|
|
77
|
+
if resp.refresh_token
|
|
78
|
+
token_json['refreshToken'] = resp.refresh_token
|
|
79
|
+
else
|
|
80
|
+
token_json.delete('refreshToken')
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
update_token_cache(token_json)
|
|
84
|
+
rescue
|
|
85
|
+
# refresh has failed, continue attempting to use the token if its not hard expired
|
|
86
|
+
end
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
if !@token.expiration || @token.expiration < Time.now
|
|
90
|
+
# Token is hard expired, raise an exception
|
|
91
|
+
raise Errors::InvalidSSOToken, 'Token is invalid and failed to refresh.'
|
|
92
|
+
end
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
def read_cached_token
|
|
96
|
+
cached_token = Json.load(File.read(sso_cache_file))
|
|
97
|
+
# validation
|
|
98
|
+
unless cached_token['accessToken'] && cached_token['expiresAt']
|
|
99
|
+
raise ArgumentError, 'Missing required field(s)'
|
|
100
|
+
end
|
|
101
|
+
cached_token['expiresAt'] = Time.parse(cached_token['expiresAt'])
|
|
102
|
+
cached_token
|
|
103
|
+
rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
|
|
104
|
+
raise Errors::InvalidSSOToken, SSO_LOGIN_GUIDANCE
|
|
105
|
+
end
|
|
106
|
+
|
|
107
|
+
def update_token_cache(token_json)
|
|
108
|
+
cached_token = token_json.dup
|
|
109
|
+
cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
|
|
110
|
+
File.write(sso_cache_file, Json.dump(cached_token))
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
def sso_cache_file
|
|
114
|
+
sso_session_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_session.encode('utf-8'))
|
|
115
|
+
File.join(Dir.home, '.aws', 'sso', 'cache', "#{sso_session_sha1}.json")
|
|
116
|
+
rescue ArgumentError
|
|
117
|
+
# Dir.home raises ArgumentError when ENV['home'] is not set
|
|
118
|
+
raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
|
|
119
|
+
end
|
|
120
|
+
|
|
121
|
+
# return true if all required fields are present
|
|
122
|
+
# return false if registrationExpiresAt exists and is later than now
|
|
123
|
+
def can_refresh_token?(token_json)
|
|
124
|
+
if token_json['clientId'] &&
|
|
125
|
+
token_json['clientSecret'] &&
|
|
126
|
+
token_json['refreshToken']
|
|
127
|
+
|
|
128
|
+
return !token_json['registrationExpiresAt'] ||
|
|
129
|
+
Time.parse(token_json['registrationExpiresAt']) > Time.now
|
|
130
|
+
else
|
|
131
|
+
false
|
|
132
|
+
end
|
|
133
|
+
end
|
|
134
|
+
end
|
|
135
|
+
end
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Aws
|
|
4
|
+
class StaticTokenProvider
|
|
5
|
+
|
|
6
|
+
include TokenProvider
|
|
7
|
+
|
|
8
|
+
# @param [String] token
|
|
9
|
+
# @param [Time] expiration
|
|
10
|
+
def initialize(token, expiration=nil)
|
|
11
|
+
@token = Token.new(token, expiration)
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
@@ -28,18 +28,20 @@ module Aws
|
|
|
28
28
|
# in stdlib Struct.
|
|
29
29
|
#
|
|
30
30
|
# @return [Hash]
|
|
31
|
-
def to_h(obj = self)
|
|
31
|
+
def to_h(obj = self, options = {})
|
|
32
32
|
case obj
|
|
33
33
|
when Struct
|
|
34
34
|
obj.each_pair.with_object({}) do |(member, value), hash|
|
|
35
|
-
|
|
35
|
+
member = member.to_s if options[:as_json]
|
|
36
|
+
hash[member] = to_hash(value, options) unless value.nil?
|
|
36
37
|
end
|
|
37
38
|
when Hash
|
|
38
39
|
obj.each.with_object({}) do |(key, value), hash|
|
|
39
|
-
|
|
40
|
+
key = key.to_s if options[:as_json]
|
|
41
|
+
hash[key] = to_hash(value, options)
|
|
40
42
|
end
|
|
41
43
|
when Array
|
|
42
|
-
obj.collect { |value| to_hash(value) }
|
|
44
|
+
obj.collect { |value| to_hash(value, options) }
|
|
43
45
|
else
|
|
44
46
|
obj
|
|
45
47
|
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Aws
|
|
4
|
+
class Token
|
|
5
|
+
|
|
6
|
+
# @param [String] token
|
|
7
|
+
# @param [Time] expiration
|
|
8
|
+
def initialize(token, expiration=nil)
|
|
9
|
+
@token = token
|
|
10
|
+
@expiration = expiration
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
# @return [String, nil]
|
|
14
|
+
attr_reader :token
|
|
15
|
+
|
|
16
|
+
# @return [Time, nil]
|
|
17
|
+
attr_reader :expiration
|
|
18
|
+
|
|
19
|
+
# @return [Boolean] Returns `true` if token is set
|
|
20
|
+
def set?
|
|
21
|
+
!token.nil? && !token.empty?
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
# Removing the token from the default inspect string.
|
|
25
|
+
# @api private
|
|
26
|
+
def inspect
|
|
27
|
+
"#<#{self.class.name} token=[FILTERED]> expiration=#{expiration}>"
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Aws
|
|
4
|
+
# @api private
|
|
5
|
+
class TokenProviderChain
|
|
6
|
+
def initialize(config = nil)
|
|
7
|
+
@config = config
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
# @return [TokenProvider, nil]
|
|
11
|
+
def resolve
|
|
12
|
+
providers.each do |method_name, options|
|
|
13
|
+
provider = send(method_name, options.merge(config: @config))
|
|
14
|
+
return provider if provider && provider.set?
|
|
15
|
+
end
|
|
16
|
+
nil
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
private
|
|
20
|
+
|
|
21
|
+
def providers
|
|
22
|
+
[
|
|
23
|
+
[:static_profile_sso_token, {}],
|
|
24
|
+
[:sso_token, {}]
|
|
25
|
+
]
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def static_profile_sso_token(options)
|
|
29
|
+
if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
|
|
30
|
+
Aws.shared_config.sso_token_from_config(
|
|
31
|
+
profile: options[:config].profile
|
|
32
|
+
)
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
|
|
37
|
+
def sso_token(options)
|
|
38
|
+
profile_name = determine_profile_name(options)
|
|
39
|
+
if Aws.shared_config.config_enabled?
|
|
40
|
+
Aws.shared_config.sso_token_from_config(profile: profile_name)
|
|
41
|
+
end
|
|
42
|
+
rescue Errors::NoSuchProfileError
|
|
43
|
+
nil
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def determine_profile_name(options)
|
|
47
|
+
(options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
end
|
|
51
|
+
end
|
|
@@ -62,7 +62,9 @@ module Aws
|
|
|
62
62
|
def send_request(options)
|
|
63
63
|
req = options[:client].build_request(@operation_name, options[:params])
|
|
64
64
|
req.handlers.remove(RAISE_HANDLER)
|
|
65
|
-
|
|
65
|
+
Aws::Plugins::UserAgent.feature('waiter') do
|
|
66
|
+
req.send_request
|
|
67
|
+
end
|
|
66
68
|
end
|
|
67
69
|
|
|
68
70
|
def acceptor_matches?(acceptor, response)
|
data/lib/aws-sdk-core.rb
CHANGED
|
@@ -20,6 +20,15 @@ require_relative 'aws-sdk-core/shared_credentials'
|
|
|
20
20
|
require_relative 'aws-sdk-core/process_credentials'
|
|
21
21
|
require_relative 'aws-sdk-core/sso_credentials'
|
|
22
22
|
|
|
23
|
+
# tokens and token providers
|
|
24
|
+
require_relative 'aws-sdk-core/token'
|
|
25
|
+
require_relative 'aws-sdk-core/token_provider'
|
|
26
|
+
require_relative 'aws-sdk-core/static_token_provider'
|
|
27
|
+
require_relative 'aws-sdk-core/refreshing_token'
|
|
28
|
+
require_relative 'aws-sdk-core/sso_token_provider'
|
|
29
|
+
require_relative 'aws-sdk-core/token_provider_chain'
|
|
30
|
+
require_relative 'aws-sdk-core/plugins/bearer_authorization'
|
|
31
|
+
|
|
23
32
|
# client modules
|
|
24
33
|
|
|
25
34
|
require_relative 'aws-sdk-core/client_stubs'
|
|
@@ -88,6 +97,10 @@ require_relative 'aws-sdk-core/arn'
|
|
|
88
97
|
require_relative 'aws-sdk-core/arn_parser'
|
|
89
98
|
require_relative 'aws-sdk-core/ec2_metadata'
|
|
90
99
|
|
|
100
|
+
# dynamic endpoints
|
|
101
|
+
require_relative 'aws-sdk-core/endpoints'
|
|
102
|
+
require_relative 'aws-sdk-core/plugins/signature_v4'
|
|
103
|
+
|
|
91
104
|
# defaults
|
|
92
105
|
require_relative 'aws-defaults'
|
|
93
106
|
|
|
@@ -99,6 +112,7 @@ require_relative 'aws-sdk-sts'
|
|
|
99
112
|
|
|
100
113
|
# aws-sdk-sso is included to support Aws::SSOCredentials
|
|
101
114
|
require_relative 'aws-sdk-sso'
|
|
115
|
+
require_relative 'aws-sdk-ssooidc'
|
|
102
116
|
|
|
103
117
|
module Aws
|
|
104
118
|
|
data/lib/aws-sdk-sso/client.rb
CHANGED
|
@@ -30,7 +30,7 @@ require 'aws-sdk-core/plugins/http_checksum.rb'
|
|
|
30
30
|
require 'aws-sdk-core/plugins/checksum_algorithm.rb'
|
|
31
31
|
require 'aws-sdk-core/plugins/defaults_mode.rb'
|
|
32
32
|
require 'aws-sdk-core/plugins/recursion_detection.rb'
|
|
33
|
-
require 'aws-sdk-core/plugins/
|
|
33
|
+
require 'aws-sdk-core/plugins/sign.rb'
|
|
34
34
|
require 'aws-sdk-core/plugins/protocols/rest_json.rb'
|
|
35
35
|
|
|
36
36
|
Aws::Plugins::GlobalConfiguration.add_identifier(:sso)
|
|
@@ -79,8 +79,9 @@ module Aws::SSO
|
|
|
79
79
|
add_plugin(Aws::Plugins::ChecksumAlgorithm)
|
|
80
80
|
add_plugin(Aws::Plugins::DefaultsMode)
|
|
81
81
|
add_plugin(Aws::Plugins::RecursionDetection)
|
|
82
|
-
add_plugin(Aws::Plugins::
|
|
82
|
+
add_plugin(Aws::Plugins::Sign)
|
|
83
83
|
add_plugin(Aws::Plugins::Protocols::RestJson)
|
|
84
|
+
add_plugin(Aws::SSO::Plugins::Endpoints)
|
|
84
85
|
|
|
85
86
|
# @overload initialize(options)
|
|
86
87
|
# @param [Hash] options
|
|
@@ -274,6 +275,11 @@ module Aws::SSO
|
|
|
274
275
|
# in the future.
|
|
275
276
|
#
|
|
276
277
|
#
|
|
278
|
+
# @option options [String] :sdk_ua_app_id
|
|
279
|
+
# A unique and opaque application ID that is appended to the
|
|
280
|
+
# User-Agent header as app/<sdk_ua_app_id>. It should have a
|
|
281
|
+
# maximum length of 50.
|
|
282
|
+
#
|
|
277
283
|
# @option options [String] :secret_access_key
|
|
278
284
|
#
|
|
279
285
|
# @option options [String] :session_token
|
|
@@ -287,6 +293,19 @@ module Aws::SSO
|
|
|
287
293
|
# ** Please note ** When response stubbing is enabled, no HTTP
|
|
288
294
|
# requests are made, and retries are disabled.
|
|
289
295
|
#
|
|
296
|
+
# @option options [Aws::TokenProvider] :token_provider
|
|
297
|
+
# A Bearer Token Provider. This can be an instance of any one of the
|
|
298
|
+
# following classes:
|
|
299
|
+
#
|
|
300
|
+
# * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
|
|
301
|
+
# tokens.
|
|
302
|
+
#
|
|
303
|
+
# * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
|
|
304
|
+
# access token generated from `aws login`.
|
|
305
|
+
#
|
|
306
|
+
# When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
|
|
307
|
+
# will be used to search for tokens configured for your profile in shared configuration files.
|
|
308
|
+
#
|
|
290
309
|
# @option options [Boolean] :use_dualstack_endpoint
|
|
291
310
|
# When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
|
|
292
311
|
# will be used if available.
|
|
@@ -300,6 +319,9 @@ module Aws::SSO
|
|
|
300
319
|
# When `true`, request parameters are validated before
|
|
301
320
|
# sending the request.
|
|
302
321
|
#
|
|
322
|
+
# @option options [Aws::SSO::EndpointProvider] :endpoint_provider
|
|
323
|
+
# The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::SSO::EndpointParameters`
|
|
324
|
+
#
|
|
303
325
|
# @option options [URI::HTTP,String] :http_proxy A proxy to send
|
|
304
326
|
# requests through. Formatted like 'http://proxy.com:123'.
|
|
305
327
|
#
|
|
@@ -362,7 +384,8 @@ module Aws::SSO
|
|
|
362
384
|
#
|
|
363
385
|
# @option params [required, String] :access_token
|
|
364
386
|
# The token issued by the `CreateToken` API call. For more information,
|
|
365
|
-
# see [CreateToken][1] in the *
|
|
387
|
+
# see [CreateToken][1] in the *IAM Identity Center OIDC API Reference
|
|
388
|
+
# Guide*.
|
|
366
389
|
#
|
|
367
390
|
#
|
|
368
391
|
#
|
|
@@ -407,7 +430,8 @@ module Aws::SSO
|
|
|
407
430
|
#
|
|
408
431
|
# @option params [required, String] :access_token
|
|
409
432
|
# The token issued by the `CreateToken` API call. For more information,
|
|
410
|
-
# see [CreateToken][1] in the *
|
|
433
|
+
# see [CreateToken][1] in the *IAM Identity Center OIDC API Reference
|
|
434
|
+
# Guide*.
|
|
411
435
|
#
|
|
412
436
|
#
|
|
413
437
|
#
|
|
@@ -450,8 +474,8 @@ module Aws::SSO
|
|
|
450
474
|
|
|
451
475
|
# Lists all AWS accounts assigned to the user. These AWS accounts are
|
|
452
476
|
# assigned by the administrator of the account. For more information,
|
|
453
|
-
# see [Assign User Access][1] in the *
|
|
454
|
-
# operation returns a paginated response.
|
|
477
|
+
# see [Assign User Access][1] in the *IAM Identity Center User Guide*.
|
|
478
|
+
# This operation returns a paginated response.
|
|
455
479
|
#
|
|
456
480
|
#
|
|
457
481
|
#
|
|
@@ -466,7 +490,8 @@ module Aws::SSO
|
|
|
466
490
|
#
|
|
467
491
|
# @option params [required, String] :access_token
|
|
468
492
|
# The token issued by the `CreateToken` API call. For more information,
|
|
469
|
-
# see [CreateToken][1] in the *
|
|
493
|
+
# see [CreateToken][1] in the *IAM Identity Center OIDC API Reference
|
|
494
|
+
# Guide*.
|
|
470
495
|
#
|
|
471
496
|
#
|
|
472
497
|
#
|
|
@@ -504,12 +529,32 @@ module Aws::SSO
|
|
|
504
529
|
req.send_request(options)
|
|
505
530
|
end
|
|
506
531
|
|
|
507
|
-
# Removes the
|
|
508
|
-
# the
|
|
532
|
+
# Removes the locally stored SSO tokens from the client-side cache and
|
|
533
|
+
# sends an API call to the IAM Identity Center service to invalidate the
|
|
534
|
+
# corresponding server-side IAM Identity Center sign in session.
|
|
535
|
+
#
|
|
536
|
+
# <note markdown="1"> If a user uses IAM Identity Center to access the AWS CLI, the user’s
|
|
537
|
+
# IAM Identity Center sign in session is used to obtain an IAM session,
|
|
538
|
+
# as specified in the corresponding IAM Identity Center permission set.
|
|
539
|
+
# More specifically, IAM Identity Center assumes an IAM role in the
|
|
540
|
+
# target account on behalf of the user, and the corresponding temporary
|
|
541
|
+
# AWS credentials are returned to the client.
|
|
542
|
+
#
|
|
543
|
+
# After user logout, any existing IAM role sessions that were created by
|
|
544
|
+
# using IAM Identity Center permission sets continue based on the
|
|
545
|
+
# duration configured in the permission set. For more information, see
|
|
546
|
+
# [User authentications][1] in the *IAM Identity Center User Guide*.
|
|
547
|
+
#
|
|
548
|
+
# </note>
|
|
549
|
+
#
|
|
550
|
+
#
|
|
551
|
+
#
|
|
552
|
+
# [1]: https://docs.aws.amazon.com/singlesignon/latest/userguide/authconcept.html
|
|
509
553
|
#
|
|
510
554
|
# @option params [required, String] :access_token
|
|
511
555
|
# The token issued by the `CreateToken` API call. For more information,
|
|
512
|
-
# see [CreateToken][1] in the *
|
|
556
|
+
# see [CreateToken][1] in the *IAM Identity Center OIDC API Reference
|
|
557
|
+
# Guide*.
|
|
513
558
|
#
|
|
514
559
|
#
|
|
515
560
|
#
|
|
@@ -545,7 +590,7 @@ module Aws::SSO
|
|
|
545
590
|
params: params,
|
|
546
591
|
config: config)
|
|
547
592
|
context[:gem_name] = 'aws-sdk-core'
|
|
548
|
-
context[:gem_version] = '3.
|
|
593
|
+
context[:gem_version] = '3.176.1'
|
|
549
594
|
Seahorse::Client::Request.new(handlers, context)
|
|
550
595
|
end
|
|
551
596
|
|