aws-sdk-core 3.165.1 → 3.167.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +16 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/shared_config.rb +36 -8
- data/lib/aws-sdk-core/sso_credentials.rb +79 -44
- data/lib/aws-sdk-core/sso_token_provider.rb +2 -2
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +1 -1
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/seahorse/client/h2/connection.rb +2 -5
- metadata +7 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f1aac37b880dbc6ede841754c8d4ce29957b9e0e6a9acf2c09233f2476f7816b
|
4
|
+
data.tar.gz: e481e937efc7f63e4ab27c8674a604364c7a702855dd1f8a1e7947bafeff69ec
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9299bc7558feb4213b3829a0e2151f47863961f5a957c361f6079abb0fa32c60f35f3bfb4c1febeacac66640dbe5373df46c7f53c378397f954a727edeb5870b
|
7
|
+
data.tar.gz: '0018d080dff65a600be4ebf1990dde19ef27ace79ebde11b68fac65e126ee6c332c7ad8affb5b4f9db13c67bf61483688294537c62a0bfb2774d354b8d373579'
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,22 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
3.167.0 (2022-11-09)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Issue - Ensure the stream_thread is not killed before H2 connection status is updated (#2779).
|
8
|
+
|
9
|
+
* Feature - Add token refresh support to `SSOCredentialProvider`.
|
10
|
+
|
11
|
+
3.166.0 (2022-10-26)
|
12
|
+
------------------
|
13
|
+
|
14
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
15
|
+
|
16
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
17
|
+
|
18
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
19
|
+
|
4
20
|
3.165.1 (2022-10-25)
|
5
21
|
------------------
|
6
22
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.167.0
|
@@ -3,9 +3,10 @@
|
|
3
3
|
module Aws
|
4
4
|
# @api private
|
5
5
|
class SharedConfig
|
6
|
-
|
6
|
+
SSO_CREDENTIAL_PROFILE_KEYS = %w[sso_account_id sso_role_name].freeze
|
7
|
+
SSO_PROFILE_KEYS = %w[sso_session sso_start_url sso_region sso_account_id sso_role_name].freeze
|
7
8
|
SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
|
8
|
-
SSO_SESSION_KEYS = %w[sso_region]
|
9
|
+
SSO_SESSION_KEYS = %w[sso_region sso_start_url].freeze
|
9
10
|
|
10
11
|
|
11
12
|
# @return [String]
|
@@ -331,14 +332,41 @@ module Aws
|
|
331
332
|
def sso_credentials_from_profile(cfg, profile)
|
332
333
|
if @parsed_config &&
|
333
334
|
(prof_config = cfg[profile]) &&
|
334
|
-
!(prof_config.keys &
|
335
|
+
!(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
|
336
|
+
|
337
|
+
if sso_session_name = prof_config['sso_session']
|
338
|
+
sso_session = cfg["sso-session #{sso_session_name}"]
|
339
|
+
unless sso_session
|
340
|
+
raise ArgumentError,
|
341
|
+
"sso-session #{sso_session_name} must be defined in the config file. " \
|
342
|
+
"Referenced by profile #{profile}"
|
343
|
+
end
|
344
|
+
sso_region = sso_session['sso_region']
|
345
|
+
sso_start_url = sso_session['sso_start_url']
|
346
|
+
|
347
|
+
# validate sso_region and sso_start_url don't conflict if set on profile and session
|
348
|
+
if prof_config['sso_region'] && prof_config['sso_region'] != sso_region
|
349
|
+
raise ArgumentError,
|
350
|
+
"sso-session #{sso_session_name}'s sso_region (#{sso_region}) " \
|
351
|
+
"does not match the profile #{profile}'s sso_region (#{prof_config['sso_region']}'"
|
352
|
+
end
|
353
|
+
if prof_config['sso_start_url'] && prof_config['sso_start_url'] != sso_start_url
|
354
|
+
raise ArgumentError,
|
355
|
+
"sso-session #{sso_session_name}'s sso_start_url (#{sso_start_url}) " \
|
356
|
+
"does not match the profile #{profile}'s sso_start_url (#{prof_config['sso_start_url']}'"
|
357
|
+
end
|
358
|
+
else
|
359
|
+
sso_region = prof_config['sso_region']
|
360
|
+
sso_start_url = prof_config['sso_start_url']
|
361
|
+
end
|
335
362
|
|
336
363
|
SSOCredentials.new(
|
337
|
-
sso_start_url: prof_config['sso_start_url'],
|
338
|
-
sso_region: prof_config['sso_region'],
|
339
364
|
sso_account_id: prof_config['sso_account_id'],
|
340
|
-
sso_role_name: prof_config['sso_role_name']
|
341
|
-
|
365
|
+
sso_role_name: prof_config['sso_role_name'],
|
366
|
+
sso_session: prof_config['sso_session'],
|
367
|
+
sso_region: sso_region,
|
368
|
+
sso_start_url: prof_config['sso_start_url']
|
369
|
+
)
|
342
370
|
end
|
343
371
|
end
|
344
372
|
|
@@ -353,7 +381,7 @@ module Aws
|
|
353
381
|
sso_session = cfg["sso-session #{sso_session_name}"]
|
354
382
|
unless sso_session
|
355
383
|
raise ArgumentError,
|
356
|
-
"sso-session #{sso_session_name} must be defined in the config file."
|
384
|
+
"sso-session #{sso_session_name} must be defined in the config file." \
|
357
385
|
"Referenced by profile #{profile}"
|
358
386
|
end
|
359
387
|
|
@@ -3,24 +3,19 @@
|
|
3
3
|
module Aws
|
4
4
|
# An auto-refreshing credential provider that assumes a role via
|
5
5
|
# {Aws::SSO::Client#get_role_credentials} using a cached access
|
6
|
-
# token.
|
7
|
-
#
|
8
|
-
#
|
9
|
-
#
|
10
|
-
#
|
11
|
-
#
|
12
|
-
# access token generated and cached from `aws login` will also expire.
|
13
|
-
# Once this token expires, it will not be usable to refresh AWS credentials,
|
14
|
-
# and another token will be needed. The SDK does not manage refreshing of
|
15
|
-
# the token value, but this can be done by running `aws login` with the
|
16
|
-
# correct profile.
|
6
|
+
# token. When `sso_session` is specified, token refresh logic from
|
7
|
+
# {Aws::SSOTokenProvider} will be used to refresh the token if possible.
|
8
|
+
# This class does NOT implement the SSO login token flow - tokens
|
9
|
+
# must generated separately by running `aws login` from the
|
10
|
+
# AWS CLI with the correct profile. The `SSOCredentials` will
|
11
|
+
# auto-refresh the AWS credentials from SSO.
|
17
12
|
#
|
18
13
|
# # You must first run aws sso login --profile your-sso-profile
|
19
14
|
# sso_credentials = Aws::SSOCredentials.new(
|
20
15
|
# sso_account_id: '123456789',
|
21
16
|
# sso_role_name: "role_name",
|
22
17
|
# sso_region: "us-east-1",
|
23
|
-
#
|
18
|
+
# sso_session: 'my_sso_session'
|
24
19
|
# )
|
25
20
|
# ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
|
26
21
|
#
|
@@ -35,7 +30,8 @@ module Aws
|
|
35
30
|
include RefreshingCredentials
|
36
31
|
|
37
32
|
# @api private
|
38
|
-
|
33
|
+
LEGACY_REQUIRED_OPTS = [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
|
34
|
+
TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
|
39
35
|
|
40
36
|
# @api private
|
41
37
|
SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
|
@@ -45,17 +41,23 @@ module Aws
|
|
45
41
|
# @option options [required, String] :sso_account_id The AWS account ID
|
46
42
|
# that temporary AWS credentials will be resolved for
|
47
43
|
#
|
48
|
-
# @option options [required, String] :sso_region The AWS region where the
|
49
|
-
# SSO directory for the given sso_start_url is hosted.
|
50
|
-
#
|
51
44
|
# @option options [required, String] :sso_role_name The corresponding
|
52
45
|
# IAM role in the AWS account that temporary AWS credentials
|
53
46
|
# will be resolved for.
|
54
47
|
#
|
55
|
-
# @option options [required, String] :
|
56
|
-
#
|
48
|
+
# @option options [required, String] :sso_region The AWS region where the
|
49
|
+
# SSO directory for the given sso_start_url is hosted.
|
50
|
+
#
|
51
|
+
# @option options [String] :sso_session The SSO Token used for fetching
|
52
|
+
# the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
|
53
|
+
# will be used.
|
54
|
+
#
|
55
|
+
# @option options [String] :sso_start_url (legacy profiles) If provided,
|
56
|
+
# legacy token fetch behavior will be used, which does not support
|
57
|
+
# token refreshing. The start URL is provided by the SSO
|
58
|
+
# service via the console and is the URL used to
|
57
59
|
# login to the SSO directory. This is also sometimes referred to as
|
58
|
-
# the "User Portal URL"
|
60
|
+
# the "User Portal URL".
|
59
61
|
#
|
60
62
|
# @option options [SSO::Client] :client Optional `SSO::Client`. If not
|
61
63
|
# provided, a client will be constructed.
|
@@ -65,27 +67,52 @@ module Aws
|
|
65
67
|
# with an instance of this object when
|
66
68
|
# AWS credentials are required and need to be refreshed.
|
67
69
|
def initialize(options = {})
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
70
|
+
options = options.select {|k, v| !v.nil? }
|
71
|
+
if (options[:sso_session])
|
72
|
+
missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
|
73
|
+
unless missing_keys.empty?
|
74
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
75
|
+
end
|
76
|
+
@legacy = false
|
77
|
+
@sso_role_name = options.delete(:sso_role_name)
|
78
|
+
@sso_account_id = options.delete(:sso_account_id)
|
79
|
+
|
80
|
+
# if client has been passed, don't pass through to SSOTokenProvider
|
81
|
+
@client = options.delete(:client)
|
82
|
+
options.delete(:sso_start_url)
|
83
|
+
@token_provider = Aws::SSOTokenProvider.new(options.dup)
|
84
|
+
@sso_session = options.delete(:sso_session)
|
85
|
+
@sso_region = options.delete(:sso_region)
|
86
|
+
|
87
|
+
unless @client
|
88
|
+
client_opts = {}
|
89
|
+
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
90
|
+
client_opts[:region] = @sso_region
|
91
|
+
client_opts[:credentials] = nil
|
92
|
+
@client = Aws::SSO::Client.new(client_opts)
|
93
|
+
end
|
94
|
+
else # legacy behavior
|
95
|
+
missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
|
96
|
+
unless missing_keys.empty?
|
97
|
+
raise ArgumentError, "Missing required keys: #{missing_keys}"
|
98
|
+
end
|
99
|
+
@legacy = true
|
100
|
+
@sso_start_url = options.delete(:sso_start_url)
|
101
|
+
@sso_region = options.delete(:sso_region)
|
102
|
+
@sso_role_name = options.delete(:sso_role_name)
|
103
|
+
@sso_account_id = options.delete(:sso_account_id)
|
104
|
+
|
105
|
+
# validate we can read the token file
|
106
|
+
read_cached_token
|
107
|
+
|
108
|
+
client_opts = {}
|
109
|
+
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
110
|
+
client_opts[:region] = @sso_region
|
111
|
+
client_opts[:credentials] = nil
|
112
|
+
|
113
|
+
@client = options[:client] || Aws::SSO::Client.new(client_opts)
|
72
114
|
end
|
73
115
|
|
74
|
-
@sso_start_url = options.delete(:sso_start_url)
|
75
|
-
@sso_region = options.delete(:sso_region)
|
76
|
-
@sso_role_name = options.delete(:sso_role_name)
|
77
|
-
@sso_account_id = options.delete(:sso_account_id)
|
78
|
-
|
79
|
-
# validate we can read the token file
|
80
|
-
read_cached_token
|
81
|
-
|
82
|
-
|
83
|
-
client_opts = {}
|
84
|
-
options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
|
85
|
-
client_opts[:region] = @sso_region
|
86
|
-
client_opts[:credentials] = nil
|
87
|
-
|
88
|
-
@client = options[:client] || Aws::SSO::Client.new(client_opts)
|
89
116
|
@async_refresh = true
|
90
117
|
super
|
91
118
|
end
|
@@ -111,12 +138,20 @@ module Aws
|
|
111
138
|
end
|
112
139
|
|
113
140
|
def refresh
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
141
|
+
c = if @legacy
|
142
|
+
cached_token = read_cached_token
|
143
|
+
@client.get_role_credentials(
|
144
|
+
account_id: @sso_account_id,
|
145
|
+
role_name: @sso_role_name,
|
146
|
+
access_token: cached_token['accessToken']
|
147
|
+
).role_credentials
|
148
|
+
else
|
149
|
+
@client.get_role_credentials(
|
150
|
+
account_id: @sso_account_id,
|
151
|
+
role_name: @sso_role_name,
|
152
|
+
access_token: @token_provider.token.token
|
153
|
+
).role_credentials
|
154
|
+
end
|
120
155
|
|
121
156
|
@credentials = Credentials.new(
|
122
157
|
c.access_key_id,
|
@@ -44,7 +44,7 @@ module Aws
|
|
44
44
|
super
|
45
45
|
end
|
46
46
|
|
47
|
-
# @return [
|
47
|
+
# @return [SSOOIDC::Client]
|
48
48
|
attr_reader :client
|
49
49
|
|
50
50
|
private
|
@@ -66,7 +66,7 @@ module Aws
|
|
66
66
|
resp = @client.create_token(
|
67
67
|
grant_type: 'refresh_token',
|
68
68
|
client_id: token_json['clientId'],
|
69
|
-
client_secret: token_json['
|
69
|
+
client_secret: token_json['clientSecret'],
|
70
70
|
refresh_token: token_json['refreshToken']
|
71
71
|
)
|
72
72
|
token_json['accessToken'] = resp.access_token
|
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-ssooidc.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -2316,7 +2316,7 @@ module Aws::STS
|
|
2316
2316
|
params: params,
|
2317
2317
|
config: config)
|
2318
2318
|
context[:gem_name] = 'aws-sdk-core'
|
2319
|
-
context[:gem_version] = '3.
|
2319
|
+
context[:gem_version] = '3.167.0'
|
2320
2320
|
Seahorse::Client::Request.new(handlers, context)
|
2321
2321
|
end
|
2322
2322
|
|
data/lib/aws-sdk-sts.rb
CHANGED
@@ -104,7 +104,7 @@ module Seahorse
|
|
104
104
|
@mutex.synchronize {
|
105
105
|
return if @socket_thread
|
106
106
|
@socket_thread = Thread.new do
|
107
|
-
while !@socket.closed?
|
107
|
+
while @socket && !@socket.closed?
|
108
108
|
begin
|
109
109
|
data = @socket.read_nonblock(@chunk_size)
|
110
110
|
@h2_client << data
|
@@ -130,6 +130,7 @@ module Seahorse
|
|
130
130
|
self.close!
|
131
131
|
end
|
132
132
|
end
|
133
|
+
@socket_thread = nil
|
133
134
|
end
|
134
135
|
@socket_thread.abort_on_exception = true
|
135
136
|
}
|
@@ -142,10 +143,6 @@ module Seahorse
|
|
142
143
|
@socket.close
|
143
144
|
@socket = nil
|
144
145
|
end
|
145
|
-
if @socket_thread
|
146
|
-
Thread.kill(@socket_thread)
|
147
|
-
@socket_thread = nil
|
148
|
-
end
|
149
146
|
@status = :closed
|
150
147
|
}
|
151
148
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.167.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2022-
|
11
|
+
date: 2022-11-09 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|
@@ -86,7 +86,7 @@ dependencies:
|
|
86
86
|
version: 1.0.2
|
87
87
|
description: Provides API clients for AWS. This gem is part of the official AWS SDK
|
88
88
|
for Ruby.
|
89
|
-
email:
|
89
|
+
email:
|
90
90
|
executables: []
|
91
91
|
extensions: []
|
92
92
|
extra_rdoc_files: []
|
@@ -344,7 +344,7 @@ licenses:
|
|
344
344
|
metadata:
|
345
345
|
source_code_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sdk-core
|
346
346
|
changelog_uri: https://github.com/aws/aws-sdk-ruby/tree/version-3/gems/aws-sdk-core/CHANGELOG.md
|
347
|
-
post_install_message:
|
347
|
+
post_install_message:
|
348
348
|
rdoc_options: []
|
349
349
|
require_paths:
|
350
350
|
- lib
|
@@ -359,8 +359,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
359
359
|
- !ruby/object:Gem::Version
|
360
360
|
version: '0'
|
361
361
|
requirements: []
|
362
|
-
rubygems_version: 3.
|
363
|
-
signing_key:
|
362
|
+
rubygems_version: 3.1.6
|
363
|
+
signing_key:
|
364
364
|
specification_version: 4
|
365
365
|
summary: AWS SDK for Ruby - Core
|
366
366
|
test_files: []
|