aws-sdk-core 3.165.1 → 3.168.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 87c2bc4ec668ad914b936750e1c4809e90abbcd4562058f5fad203368441aa74
-  data.tar.gz: f192ab25dd699477e86cdd40abdbee8e059503c85126c9eb5b2c08548312b50e
+  metadata.gz: d3feaec82dc395d31e4cd17d9951ac80c191c69156317b9cfab13834fe95755a
+  data.tar.gz: efb2c1a30e3d3baccbcfdeb92390a18efb5aaf8a145d1d0cd6129b10413f6358
 SHA512:
-  metadata.gz: 8faf1c195c2e8048c58dd3c09ef3b87170f742d460f4a68abebdc0562f07fd90f7ca1af00bb393d100cb67f11bfc82655bc76af5902f46c7210ac1e7e3802f5f
-  data.tar.gz: 23ee508e629750feccdd9ccfcdc22ea216ec55ad7fbf53e0a99142a7418c8b8088fae22d3c7e2fc0e3375c16b8696e6860bb4b9199ec7f4fc51de1c8b1059726
+  metadata.gz: 77b3fe5b4fcfa3c7855b5d9adcae5957cd8080d049abcd346bcf84500c6aa507d22d91cd9bf9b252da95a2414e513c6729bc3d2905b23d8a276ecf9fa07922ca
+  data.tar.gz: 27f2a8fcd85631e81e0055bbd593cfd04dcaf17002d52edb9ff5beb25aff0e0974afad22a5ac905010e9ef8f165fa9ab47cd7bd8e154023f10ac44b185d4afcc

data/CHANGELOG.md

@@ -1,6 +1,47 @@
 Unreleased Changes
 ------------------
 
+3.168.4 (2022-12-08)
+------------------
+
+* Issue - Fix Sign to not sign Sigv2 requests to S3.
+
+3.168.3 (2022-12-02)
+------------------
+
+* Issue - Retry S3's `BadDigest` error
+
+3.168.2 (2022-11-29)
+------------------
+
+* Issue - Allow region resolution in `AssumeRoleCredentials` from `CredentialProviderChain`.
+
+3.168.1 (2022-11-18)
+------------------
+
+* Issue - Fix initialization of SSOTokenProvider when `AWS_PROFILE` is specified.
+
+3.168.0 (2022-11-17)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.167.0 (2022-11-09)
+------------------
+
+* Issue - Ensure the stream_thread is not killed before H2 connection status is updated (#2779).
+
+* Feature - Add token refresh support to `SSOCredentialProvider`.
+
+3.166.0 (2022-10-26)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
 3.165.1 (2022-10-25)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.165.1
+3.168.4

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -169,12 +169,14 @@ module Aws
     end
 
     def assume_role_with_profile(options, profile_name)
-      region = (options[:config] && options[:config].region)
-      Aws.shared_config.assume_role_credentials_from_config(
+      assume_opts = {
         profile: profile_name,
-        region: region,
         chain_config: @config
-      )
+      }
+      if options[:config] && options[:config].region
+        assume_opts[:region] = options[:config].region
+      end
+      Aws.shared_config.assume_role_credentials_from_config(assume_opts)
     end
   end
 end

data/lib/aws-sdk-core/plugins/retries/error_inspector.rb

@@ -39,7 +39,8 @@ module Aws
 
         CHECKSUM_ERRORS = Set.new(
           [
-            'CRC32CheckFailed' # dynamodb
+            'CRC32CheckFailed', # dynamodb
+            'BadDigest' # s3
           ]
         )
 

data/lib/aws-sdk-core/plugins/sign.rb

@@ -37,15 +37,25 @@ module Aws
 
       class Handler < Seahorse::Client::Handler
         def call(context)
-          signer = Sign.signer_for(
-            context[:auth_scheme],
-            context.config,
-            context[:sigv4_region]
-          )
-
-          signer.sign(context)
+          # Skip signing if using sigv2 signing from s3_signer in S3
+          unless v2_signing?(context.config)
+            signer = Sign.signer_for(
+              context[:auth_scheme],
+              context.config,
+              context[:sigv4_region]
+            )
+            signer.sign(context)
+          end
           @handler.call(context)
         end
+
+        private
+
+        def v2_signing?(config)
+          # 's3' is legacy signing, 'v4' is default
+          config.respond_to?(:signature_version) &&
+            config.signature_version == 's3'
+        end
       end
 
       # @api private

data/lib/aws-sdk-core/shared_config.rb

@@ -3,9 +3,10 @@
 module Aws
   # @api private
   class SharedConfig
-    SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_CREDENTIAL_PROFILE_KEYS = %w[sso_account_id sso_role_name].freeze
+    SSO_PROFILE_KEYS = %w[sso_session sso_start_url sso_region sso_account_id sso_role_name].freeze
     SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
-    SSO_SESSION_KEYS = %w[sso_region]
+    SSO_SESSION_KEYS = %w[sso_region sso_start_url].freeze
 
 
     # @return [String]
@@ -331,14 +332,41 @@ module Aws
     def sso_credentials_from_profile(cfg, profile)
       if @parsed_config &&
          (prof_config = cfg[profile]) &&
-         !(prof_config.keys & SSO_PROFILE_KEYS).empty?
+         !(prof_config.keys & SSO_CREDENTIAL_PROFILE_KEYS).empty?
+
+        if sso_session_name = prof_config['sso_session']
+          sso_session = cfg["sso-session #{sso_session_name}"]
+          unless sso_session
+            raise ArgumentError,
+                  "sso-session #{sso_session_name} must be defined in the config file. " \
+                    "Referenced by profile #{profile}"
+          end
+          sso_region = sso_session['sso_region']
+          sso_start_url = sso_session['sso_start_url']
+
+          # validate sso_region and sso_start_url don't conflict if set on profile and session
+          if prof_config['sso_region'] &&  prof_config['sso_region'] != sso_region
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_region (#{sso_region}) " \
+                    "does not match the profile #{profile}'s sso_region (#{prof_config['sso_region']}'"
+          end
+          if prof_config['sso_start_url'] &&  prof_config['sso_start_url'] != sso_start_url
+            raise ArgumentError,
+                  "sso-session #{sso_session_name}'s sso_start_url (#{sso_start_url}) " \
+                    "does not match the profile #{profile}'s sso_start_url (#{prof_config['sso_start_url']}'"
+          end
+        else
+          sso_region = prof_config['sso_region']
+          sso_start_url = prof_config['sso_start_url']
+        end
 
         SSOCredentials.new(
-          sso_start_url: prof_config['sso_start_url'],
-          sso_region: prof_config['sso_region'],
           sso_account_id: prof_config['sso_account_id'],
-          sso_role_name: prof_config['sso_role_name']
-        )
+          sso_role_name: prof_config['sso_role_name'],
+          sso_session: prof_config['sso_session'],
+          sso_region: sso_region,
+          sso_start_url: prof_config['sso_start_url']
+          )
       end
     end
 
@@ -353,7 +381,7 @@ module Aws
         sso_session = cfg["sso-session #{sso_session_name}"]
         unless sso_session
           raise ArgumentError,
-                "sso-session #{sso_session_name} must be defined in the config file." /
+                "sso-session #{sso_session_name} must be defined in the config file." \
                   "Referenced by profile #{profile}"
         end
 

data/lib/aws-sdk-core/sso_credentials.rb

@@ -3,24 +3,19 @@
 module Aws
   # An auto-refreshing credential provider that assumes a role via
   # {Aws::SSO::Client#get_role_credentials} using a cached access
-  # token. This class does NOT implement the SSO login token flow - tokens
-  # must generated and refreshed separately by running `aws login` from the
-  # AWS CLI with the correct profile.
-  #
-  # The `SSOCredentials` will auto-refresh the AWS credentials from SSO. In
-  # addition to AWS credentials expiring after a given amount of time, the
-  # access token generated and cached from `aws login` will also expire.
-  # Once this token expires, it will not be usable to refresh AWS credentials,
-  # and another token will be needed. The SDK does not manage refreshing of
-  # the token value, but this can be done by running `aws login` with the
-  # correct profile.
+  # token. When `sso_session` is specified, token refresh logic from
+  # {Aws::SSOTokenProvider} will be used to refresh the token if possible.
+  # This class does NOT implement the SSO login token flow - tokens
+  # must generated separately by running `aws login` from the
+  # AWS CLI with the correct profile. The `SSOCredentials` will
+  # auto-refresh the AWS credentials from SSO.
   #
   #     # You must first run aws sso login --profile your-sso-profile
   #     sso_credentials = Aws::SSOCredentials.new(
   #       sso_account_id: '123456789',
   #       sso_role_name: "role_name",
   #       sso_region: "us-east-1",
-  #       sso_start_url: 'https://your-start-url.awsapps.com/start'
+  #       sso_session: 'my_sso_session'
   #     )
   #     ec2 = Aws::EC2::Client.new(credentials: sso_credentials)
   #
@@ -35,7 +30,8 @@ module Aws
     include RefreshingCredentials
 
     # @api private
-    SSO_REQUIRED_OPTS = [:sso_account_id, :sso_region, :sso_role_name, :sso_start_url].freeze
+    LEGACY_REQUIRED_OPTS =         [:sso_start_url, :sso_account_id, :sso_region, :sso_role_name].freeze
+    TOKEN_PROVIDER_REQUIRED_OPTS = [:sso_session, :sso_account_id, :sso_region, :sso_role_name].freeze
 
     # @api private
     SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
@@ -45,17 +41,23 @@ module Aws
     # @option options [required, String] :sso_account_id The AWS account ID
     #   that temporary AWS credentials will be resolved for
     #
-    # @option options [required, String] :sso_region The AWS region where the
-    #   SSO directory for the given sso_start_url is hosted.
-    #
     # @option options [required, String] :sso_role_name The corresponding
     #   IAM role in the AWS account that temporary AWS credentials
     #   will be resolved for.
     #
-    # @option options [required, String] :sso_start_url The start URL is
-    #   provided by the SSO service via the console and is the URL used to
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [String] :sso_session The SSO Token used for fetching
+    #   the token. If provided, refresh logic from the {Aws::SSOTokenProvider}
+    #   will be used.
+    #
+    # @option options [String] :sso_start_url (legacy profiles) If provided,
+    #   legacy token fetch behavior will be used, which does not support
+    #   token refreshing.  The start URL is provided by the SSO
+    #   service via the console and is the URL used to
     #   login to the SSO directory. This is also sometimes referred to as
-    #   the "User Portal URL"
+    #   the "User Portal URL".
     #
     # @option options [SSO::Client] :client Optional `SSO::Client`.  If not
     #   provided, a client will be constructed.
@@ -65,27 +67,52 @@ module Aws
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
-
-      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
-      unless missing_keys.empty?
-        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      options = options.select {|k, v| !v.nil? }
+      if (options[:sso_session])
+        missing_keys = TOKEN_PROVIDER_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = false
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
+
+        # if client has been passed, don't pass through to SSOTokenProvider
+        @client = options.delete(:client)
+        options.delete(:sso_start_url)
+        @token_provider = Aws::SSOTokenProvider.new(options.dup)
+        @sso_session = options.delete(:sso_session)
+        @sso_region = options.delete(:sso_region)
+
+        unless @client
+          client_opts = {}
+          options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+          client_opts[:region] = @sso_region
+          client_opts[:credentials] = nil
+          @client = Aws::SSO::Client.new(client_opts)
+        end
+      else # legacy behavior
+        missing_keys = LEGACY_REQUIRED_OPTS.select { |k| options[k].nil? }
+        unless missing_keys.empty?
+          raise ArgumentError, "Missing required keys: #{missing_keys}"
+        end
+        @legacy = true
+        @sso_start_url = options.delete(:sso_start_url)
+        @sso_region = options.delete(:sso_region)
+        @sso_role_name = options.delete(:sso_role_name)
+        @sso_account_id = options.delete(:sso_account_id)
+
+        # validate we can read the token file
+        read_cached_token
+
+        client_opts = {}
+        options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
+        client_opts[:region] = @sso_region
+        client_opts[:credentials] = nil
+
+        @client = options[:client] || Aws::SSO::Client.new(client_opts)
       end
 
-      @sso_start_url = options.delete(:sso_start_url)
-      @sso_region = options.delete(:sso_region)
-      @sso_role_name = options.delete(:sso_role_name)
-      @sso_account_id = options.delete(:sso_account_id)
-
-      # validate we can read the token file
-      read_cached_token
-
-
-      client_opts = {}
-      options.each_pair { |k,v| client_opts[k] = v unless CLIENT_EXCLUDE_OPTIONS.include?(k) }
-      client_opts[:region] = @sso_region
-      client_opts[:credentials] = nil
-
-      @client = options[:client] || Aws::SSO::Client.new(client_opts)
       @async_refresh = true
       super
     end
@@ -111,12 +138,20 @@ module Aws
     end
 
     def refresh
-      cached_token = read_cached_token
-      c = @client.get_role_credentials(
-        account_id: @sso_account_id,
-        role_name: @sso_role_name,
-        access_token: cached_token['accessToken']
-      ).role_credentials
+      c = if @legacy
+            cached_token = read_cached_token
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: cached_token['accessToken']
+            ).role_credentials
+          else
+            @client.get_role_credentials(
+              account_id: @sso_account_id,
+              role_name: @sso_role_name,
+              access_token: @token_provider.token.token
+            ).role_credentials
+          end
 
       @credentials = Credentials.new(
         c.access_key_id,

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -39,12 +39,13 @@ module Aws
 
       options[:region] = @sso_region
       options[:credentials] = nil
+      options[:token_provider] = nil
       @client = options[:client] || Aws::SSOOIDC::Client.new(options)
 
       super
     end
 
-    # @return [SSO::Client]
+    # @return [SSOOIDC::Client]
     attr_reader :client
 
     private
@@ -66,7 +67,7 @@ module Aws
           resp = @client.create_token(
             grant_type: 'refresh_token',
             client_id: token_json['clientId'],
-            client_secret: token_json['client_secret'],
+            client_secret: token_json['clientSecret'],
             refresh_token: token_json['refreshToken']
           )
           token_json['accessToken'] = resp.access_token

data/lib/aws-sdk-sso/client.rb

@@ -585,7 +585,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.165.0'
+      context[:gem_version] = '3.168.4'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso/types.rb

@@ -34,15 +34,6 @@ module Aws::SSO
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetRoleCredentialsRequest
-    #   data as a hash:
-    #
-    #       {
-    #         role_name: "RoleNameType", # required
-    #         account_id: "AccountIdType", # required
-    #         access_token: "AccessTokenType", # required
-    #       }
-    #
     # @!attribute [rw] role_name
     #   The friendly name of the role that is assigned to the user.
     #   @return [String]
@@ -97,16 +88,6 @@ module Aws::SSO
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListAccountRolesRequest
-    #   data as a hash:
-    #
-    #       {
-    #         next_token: "NextTokenType",
-    #         max_results: 1,
-    #         access_token: "AccessTokenType", # required
-    #         account_id: "AccountIdType", # required
-    #       }
-    #
     # @!attribute [rw] next_token
     #   The page token from the previous response output when you request
     #   subsequent pages.
@@ -159,15 +140,6 @@ module Aws::SSO
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListAccountsRequest
-    #   data as a hash:
-    #
-    #       {
-    #         next_token: "NextTokenType",
-    #         max_results: 1,
-    #         access_token: "AccessTokenType", # required
-    #       }
-    #
     # @!attribute [rw] next_token
     #   (Optional) When requesting subsequent pages, this is the page token
     #   from the previous response output.
@@ -215,13 +187,6 @@ module Aws::SSO
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass LogoutRequest
-    #   data as a hash:
-    #
-    #       {
-    #         access_token: "AccessTokenType", # required
-    #       }
-    #
     # @!attribute [rw] access_token
     #   The token issued by the `CreateToken` API call. For more
     #   information, see [CreateToken][1] in the *IAM Identity Center OIDC

data/lib/aws-sdk-sso.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.165.0'
+  GEM_VERSION = '3.168.4'
 
 end

data/lib/aws-sdk-ssooidc/client.rb

@@ -581,7 +581,7 @@ module Aws::SSOOIDC
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.165.0'
+      context[:gem_version] = '3.168.4'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc/types.rb

@@ -45,20 +45,6 @@ module Aws::SSOOIDC
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass CreateTokenRequest
-    #   data as a hash:
-    #
-    #       {
-    #         client_id: "ClientId", # required
-    #         client_secret: "ClientSecret", # required
-    #         grant_type: "GrantType", # required
-    #         device_code: "DeviceCode",
-    #         code: "AuthCode",
-    #         refresh_token: "RefreshToken",
-    #         scope: ["Scope"],
-    #         redirect_uri: "URI",
-    #       }
-    #
     # @!attribute [rw] client_id
     #   The unique identifier string for each client. This value should come
     #   from the persisted result of the RegisterClient API.
@@ -317,15 +303,6 @@ module Aws::SSOOIDC
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass RegisterClientRequest
-    #   data as a hash:
-    #
-    #       {
-    #         client_name: "ClientName", # required
-    #         client_type: "ClientType", # required
-    #         scopes: ["Scope"],
-    #       }
-    #
     # @!attribute [rw] client_name
     #   The friendly name of the client.
     #   @return [String]
@@ -410,15 +387,6 @@ module Aws::SSOOIDC
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass StartDeviceAuthorizationRequest
-    #   data as a hash:
-    #
-    #       {
-    #         client_id: "ClientId", # required
-    #         client_secret: "ClientSecret", # required
-    #         start_url: "URI", # required
-    #       }
-    #
     # @!attribute [rw] client_id
     #   The unique identifier string for the client that is registered with
     #   IAM Identity Center. This value should come from the persisted

data/lib/aws-sdk-ssooidc.rb

@@ -54,6 +54,6 @@ require_relative 'aws-sdk-ssooidc/customizations'
 # @!group service
 module Aws::SSOOIDC
 
-  GEM_VERSION = '3.165.0'
+  GEM_VERSION = '3.168.4'
 
 end