aws-sdk-core 3.168.4 → 3.190.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +231 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +4 -4
- data/lib/aws-sdk-core/client_stubs.rb +15 -12
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +2 -1
- data/lib/aws-sdk-core/ecs_credentials.rb +177 -53
- data/lib/aws-sdk-core/endpoints/condition.rb +5 -0
- data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +5 -1
- data/lib/aws-sdk-core/endpoints/error_rule.rb +5 -0
- data/lib/aws-sdk-core/endpoints/function.rb +5 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +13 -9
- data/lib/aws-sdk-core/endpoints/reference.rb +5 -0
- data/lib/aws-sdk-core/endpoints/rule.rb +5 -0
- data/lib/aws-sdk-core/endpoints/rule_set.rb +5 -0
- data/lib/aws-sdk-core/endpoints/rules_provider.rb +5 -0
- data/lib/aws-sdk-core/endpoints/templater.rb +6 -0
- data/lib/aws-sdk-core/endpoints/tree_rule.rb +5 -0
- data/lib/aws-sdk-core/endpoints/url.rb +1 -0
- data/lib/aws-sdk-core/endpoints.rb +6 -2
- data/lib/aws-sdk-core/errors.rb +1 -1
- data/lib/aws-sdk-core/ini_parser.rb +7 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +52 -30
- data/lib/aws-sdk-core/json/error_handler.rb +15 -5
- data/lib/aws-sdk-core/json/handler.rb +8 -1
- data/lib/aws-sdk-core/json/parser.rb +27 -2
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/pageable_response.rb +3 -1
- data/lib/aws-sdk-core/param_validator.rb +2 -2
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +5 -3
- data/lib/aws-sdk-core/plugins/http_checksum.rb +2 -1
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +109 -33
- data/lib/aws-sdk-core/plugins/request_compression.rb +217 -0
- data/lib/aws-sdk-core/plugins/sign.rb +16 -10
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/refreshing_credentials.rb +12 -12
- data/lib/aws-sdk-core/rest/request/querystring_builder.rb +43 -29
- data/lib/aws-sdk-core/shared_config.rb +48 -18
- data/lib/aws-sdk-core/sso_credentials.rb +1 -1
- data/lib/aws-sdk-core/stubbing/stub_data.rb +11 -0
- data/lib/aws-sdk-core/waiters/poller.rb +4 -2
- data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
- data/lib/aws-sdk-sso/client.rb +21 -1
- data/lib/aws-sdk-sso/endpoint_provider.rb +41 -96
- data/lib/aws-sdk-sso/endpoints.rb +1 -0
- data/lib/aws-sdk-sso/plugins/endpoints.rb +3 -2
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +358 -29
- data/lib/aws-sdk-ssooidc/client_api.rb +56 -1
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +41 -95
- data/lib/aws-sdk-ssooidc/endpoints.rb +15 -0
- data/lib/aws-sdk-ssooidc/errors.rb +31 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +5 -2
- data/lib/aws-sdk-ssooidc/types.rb +302 -49
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +158 -122
- data/lib/aws-sdk-sts/client_api.rb +12 -1
- data/lib/aws-sdk-sts/endpoint_provider.rb +96 -213
- data/lib/aws-sdk-sts/endpoints.rb +1 -0
- data/lib/aws-sdk-sts/plugins/endpoints.rb +3 -2
- data/lib/aws-sdk-sts/presigner.rb +1 -1
- data/lib/aws-sdk-sts/types.rb +49 -11
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/seahorse/client/configuration.rb +0 -4
- data/lib/seahorse/client/h2/connection.rb +10 -6
- data/lib/seahorse/client/net_http/patches.rb +1 -4
- data/lib/seahorse/client/plugins/h2.rb +3 -3
- data/lib/seahorse/client/plugins/request_callback.rb +31 -0
- data/lib/seahorse/client/response.rb +6 -0
- data/lib/seahorse/model/operation.rb +3 -0
- metadata +13 -12
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 21cdff0abfe2aec5ad4a801e3c2309930e2afb717f30886b1d075b568c28aa56
|
4
|
+
data.tar.gz: 8a7ab6eef02764d83baef04f6b47fce0c290a850a97a53156c4ef988811bc834
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f9e59ce7c7d62a8bc34c3060655ef2c30c913c7d5acc7a1d205c3f124d1978412d904846e2ad696def72fd98fc0acd091bdd73e07a2f060c674ed8a5999abfcc
|
7
|
+
data.tar.gz: 9f3aa78cdd2e71e8b013510919e47bed89fe871b92801559f027929bbc50510fcccef45dc79f8a300bc2fec6c40f03c1de425fde393c0435d2f8c66201daaff2
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,237 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
3.190.3 (2024-01-16)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Issue - Add mutex around accessing stub api_requests.
|
8
|
+
|
9
|
+
3.190.2 (2024-01-09)
|
10
|
+
------------------
|
11
|
+
|
12
|
+
* Issue - Minor performance optimization.
|
13
|
+
|
14
|
+
3.190.1 (2023-12-20)
|
15
|
+
------------------
|
16
|
+
|
17
|
+
* Issue - Add mutex around stub api_requests.
|
18
|
+
|
19
|
+
3.190.0 (2023-11-29)
|
20
|
+
------------------
|
21
|
+
|
22
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
23
|
+
|
24
|
+
3.189.0 (2023-11-28)
|
25
|
+
------------------
|
26
|
+
|
27
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
28
|
+
|
29
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
30
|
+
|
31
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
32
|
+
|
33
|
+
* Feature - Support S3 Express authentication.
|
34
|
+
|
35
|
+
3.188.0 (2023-11-22)
|
36
|
+
------------------
|
37
|
+
|
38
|
+
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
|
39
|
+
|
40
|
+
* Feature - Support `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` in `ECSCredentials` and also allow for ECS and EKS link-local http addresses.
|
41
|
+
|
42
|
+
3.187.1 (2023-11-20)
|
43
|
+
------------------
|
44
|
+
|
45
|
+
* Issue - For `awsQueryCompatible` services, default an empty list or map for shapes that were previously flattened in the query protocol.
|
46
|
+
|
47
|
+
3.187.0 (2023-11-17)
|
48
|
+
------------------
|
49
|
+
|
50
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
51
|
+
|
52
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
53
|
+
|
54
|
+
3.186.0 (2023-11-02)
|
55
|
+
------------------
|
56
|
+
|
57
|
+
* Feature - Support disabling IMDSv1 in `InstanceProfileCredentials` using `ENV['AWS_EC2_METADATA_V1_DISABLED']`, `ec2_metadata_v1_disabled` shared config, or the `disable_imds_v1` credentials option.
|
58
|
+
|
59
|
+
3.185.2 (2023-10-31)
|
60
|
+
------------------
|
61
|
+
|
62
|
+
* Issue - Fix query string support to lists of booleans, floats, integers and timestamps per rest-json protocol.
|
63
|
+
|
64
|
+
3.185.1 (2023-10-05)
|
65
|
+
------------------
|
66
|
+
|
67
|
+
* Issue - Ignore `__type` when deserializing Unions.
|
68
|
+
|
69
|
+
3.185.0 (2023-10-02)
|
70
|
+
------------------
|
71
|
+
|
72
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
73
|
+
|
74
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
75
|
+
|
76
|
+
3.184.0 (2023-09-27)
|
77
|
+
------------------
|
78
|
+
|
79
|
+
* Feature - Change the `ServiceError` data member from read only to read/write.
|
80
|
+
|
81
|
+
3.183.1 (2023-09-25)
|
82
|
+
------------------
|
83
|
+
|
84
|
+
* Issue - Remove value inspection from param validation errors.
|
85
|
+
|
86
|
+
3.183.0 (2023-09-20)
|
87
|
+
------------------
|
88
|
+
|
89
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
90
|
+
|
91
|
+
3.182.0 (2023-09-19)
|
92
|
+
------------------
|
93
|
+
|
94
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
95
|
+
|
96
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
97
|
+
|
98
|
+
3.181.1 (2023-09-14)
|
99
|
+
------------------
|
100
|
+
|
101
|
+
* Issue - Fix host label validation in endpoint matchers.
|
102
|
+
|
103
|
+
3.181.0 (2023-08-22)
|
104
|
+
------------------
|
105
|
+
|
106
|
+
* Feature - Add support for `on_chunk_received` callback.
|
107
|
+
|
108
|
+
3.180.3 (2023-08-09)
|
109
|
+
------------------
|
110
|
+
|
111
|
+
* Issue - Add support for sso-session names with whitespace configured by the CLI `aws sso configure` command (#2895).
|
112
|
+
|
113
|
+
3.180.2 (2023-08-07)
|
114
|
+
------------------
|
115
|
+
|
116
|
+
* Issue - Fix parsing of ini files with mixes of blank properties and nested configurations.
|
117
|
+
|
118
|
+
3.180.1 (2023-07-31)
|
119
|
+
------------------
|
120
|
+
|
121
|
+
* Issue - Remove checksums from default stubs (#2888).
|
122
|
+
|
123
|
+
3.180.0 (2023-07-25)
|
124
|
+
------------------
|
125
|
+
|
126
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
127
|
+
|
128
|
+
3.179.0 (2023-07-24)
|
129
|
+
------------------
|
130
|
+
|
131
|
+
* Feature - Add `checksum_validated` method to response.
|
132
|
+
|
133
|
+
3.178.0 (2023-07-11)
|
134
|
+
------------------
|
135
|
+
|
136
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
137
|
+
|
138
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
139
|
+
|
140
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
141
|
+
|
142
|
+
* Feature - Add support for configuring the endpoint URL in the shared configuration file or via an environment variable for a specific AWS service or all AWS services.
|
143
|
+
|
144
|
+
3.177.0 (2023-07-06)
|
145
|
+
------------------
|
146
|
+
|
147
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
148
|
+
|
149
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
150
|
+
|
151
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
152
|
+
|
153
|
+
* Feature - Add support for Request Compression.
|
154
|
+
|
155
|
+
3.176.1 (2023-06-29)
|
156
|
+
------------------
|
157
|
+
|
158
|
+
* Issue - Fix signing for S3/S3 Control and `aws-crt` gem for certain object keys (#2849).
|
159
|
+
|
160
|
+
* Issue - Ensure `SSOCredentials` `#expiration` is a `Time` (#2874)
|
161
|
+
|
162
|
+
3.176.0 (2023-06-28)
|
163
|
+
------------------
|
164
|
+
|
165
|
+
* Feature - Add :expiration accessor to `CredentialProvider` and do not refresh credentials when checking expiration (#2872).
|
166
|
+
|
167
|
+
3.175.0 (2023-06-15)
|
168
|
+
------------------
|
169
|
+
|
170
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
171
|
+
|
172
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
173
|
+
|
174
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
175
|
+
|
176
|
+
3.174.0 (2023-05-31)
|
177
|
+
------------------
|
178
|
+
|
179
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
180
|
+
|
181
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
182
|
+
|
183
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
184
|
+
|
185
|
+
* Feature - Improve User-Agent metrics tracking.
|
186
|
+
|
187
|
+
3.173.1 (2023-05-24)
|
188
|
+
------------------
|
189
|
+
|
190
|
+
* Issue - Updated `checksum_algorithm` plugin to use IO.copy_stream for JRuby.
|
191
|
+
|
192
|
+
3.173.0 (2023-05-18)
|
193
|
+
------------------
|
194
|
+
|
195
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
196
|
+
|
197
|
+
3.172.0 (2023-05-08)
|
198
|
+
------------------
|
199
|
+
|
200
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
201
|
+
|
202
|
+
* Feature - Add :region option to `Aws::Log::Formatter`.
|
203
|
+
|
204
|
+
3.171.1 (2023-05-04)
|
205
|
+
------------------
|
206
|
+
|
207
|
+
* Issue - Fix error code parsing in AWS query compatible JSON services.
|
208
|
+
|
209
|
+
3.171.0 (2023-03-22)
|
210
|
+
------------------
|
211
|
+
|
212
|
+
* Feature - Add support for `AWS_CONTAINER_CREDENTIALS_FULL_URI` and `AWS_CONTAINER_AUTHORIZATION_TOKEN` environment variables to `ECSCredentials`.
|
213
|
+
|
214
|
+
3.170.1 (2023-03-17)
|
215
|
+
------------------
|
216
|
+
|
217
|
+
* Issue - Reduce memory usage in H2::Connection when `http_wire_log` is not set.
|
218
|
+
|
219
|
+
3.170.0 (2023-01-25)
|
220
|
+
------------------
|
221
|
+
|
222
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
223
|
+
|
224
|
+
3.169.0 (2023-01-18)
|
225
|
+
------------------
|
226
|
+
|
227
|
+
* Feature - Updated Aws::STS::Client with the latest API changes.
|
228
|
+
|
229
|
+
* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
|
230
|
+
|
231
|
+
* Feature - Updated Aws::SSO::Client with the latest API changes.
|
232
|
+
|
233
|
+
* Issue - Replace runtime endpoint resolution approach with generated ruby code for STS, SSO, and SSOOIDC.
|
234
|
+
|
4
235
|
3.168.4 (2022-12-08)
|
5
236
|
------------------
|
6
237
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.190.3
|
@@ -20,7 +20,7 @@ module Aws
|
|
20
20
|
# * Globally via the "AWS_DEFAULTS_MODE" environment variable.
|
21
21
|
#
|
22
22
|
#
|
23
|
-
#
|
23
|
+
# #defaults START - documentation
|
24
24
|
# The following `:default_mode` values are supported:
|
25
25
|
#
|
26
26
|
# * `'standard'` -
|
@@ -105,10 +105,10 @@ module Aws
|
|
105
105
|
# [2]: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-retry_mode.html
|
106
106
|
# [3]: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-sts_regional_endpoints.html
|
107
107
|
#
|
108
|
-
#
|
108
|
+
# #defaults END - documentation
|
109
109
|
module DefaultsModeConfiguration
|
110
110
|
# @api private
|
111
|
-
#
|
111
|
+
# #defaults START - configuration
|
112
112
|
SDK_DEFAULT_CONFIGURATION =
|
113
113
|
{
|
114
114
|
"version" => 1,
|
@@ -148,6 +148,6 @@ module Aws
|
|
148
148
|
}
|
149
149
|
}
|
150
150
|
}
|
151
|
-
#
|
151
|
+
# #defaults END - configuration
|
152
152
|
end
|
153
153
|
end
|
@@ -24,15 +24,16 @@ module Aws
|
|
24
24
|
end
|
25
25
|
|
26
26
|
# When a client is stubbed allow the user to access the requests made
|
27
|
-
@api_requests = []
|
28
|
-
|
29
|
-
requests = @api_requests
|
27
|
+
requests = @api_requests = []
|
28
|
+
requests_mutex = @requests_mutex = Mutex.new
|
30
29
|
self.handle do |context|
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
30
|
+
requests_mutex.synchronize do
|
31
|
+
requests << {
|
32
|
+
operation_name: context.operation_name,
|
33
|
+
params: context.params,
|
34
|
+
context: context
|
35
|
+
}
|
36
|
+
end
|
36
37
|
@handler.call(context)
|
37
38
|
end
|
38
39
|
end
|
@@ -194,10 +195,12 @@ module Aws
|
|
194
195
|
# is not stubbed.
|
195
196
|
def api_requests(options = {})
|
196
197
|
if config.stub_responses
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
|
198
|
+
@requests_mutex.synchronize do
|
199
|
+
if options[:exclude_presign]
|
200
|
+
@api_requests.reject {|req| req[:context][:presigned_url] }
|
201
|
+
else
|
202
|
+
@api_requests
|
203
|
+
end
|
201
204
|
end
|
202
205
|
else
|
203
206
|
msg = 'This method is only implemented for stubbed clients, and is '\
|
@@ -161,7 +161,8 @@ module Aws
|
|
161
161
|
|
162
162
|
def instance_profile_credentials(options)
|
163
163
|
profile_name = determine_profile_name(options)
|
164
|
-
if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
|
164
|
+
if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
|
165
|
+
ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
|
165
166
|
ECSCredentials.new(options)
|
166
167
|
else
|
167
168
|
InstanceProfileCredentials.new(options.merge(profile: profile_name))
|
@@ -2,21 +2,27 @@
|
|
2
2
|
|
3
3
|
require 'time'
|
4
4
|
require 'net/http'
|
5
|
+
require 'resolv'
|
5
6
|
|
6
7
|
module Aws
|
7
8
|
# An auto-refreshing credential provider that loads credentials from
|
8
|
-
# instances running in
|
9
|
+
# instances running in containers.
|
9
10
|
#
|
10
11
|
# ecs_credentials = Aws::ECSCredentials.new(retries: 3)
|
11
12
|
# ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
|
12
13
|
class ECSCredentials
|
13
|
-
|
14
14
|
include CredentialProvider
|
15
15
|
include RefreshingCredentials
|
16
16
|
|
17
17
|
# @api private
|
18
18
|
class Non200Response < RuntimeError; end
|
19
19
|
|
20
|
+
# Raised when the token file cannot be read.
|
21
|
+
class TokenFileReadError < RuntimeError; end
|
22
|
+
|
23
|
+
# Raised when the token file is invalid.
|
24
|
+
class InvalidTokenError < RuntimeError; end
|
25
|
+
|
20
26
|
# These are the errors we trap when attempting to talk to the
|
21
27
|
# instance metadata service. Any of these imply the service
|
22
28
|
# is not present, no responding or some other non-recoverable
|
@@ -29,16 +35,22 @@ module Aws
|
|
29
35
|
Errno::ENETUNREACH,
|
30
36
|
SocketError,
|
31
37
|
Timeout::Error,
|
32
|
-
Non200Response
|
33
|
-
]
|
38
|
+
Non200Response
|
39
|
+
].freeze
|
34
40
|
|
35
41
|
# @param [Hash] options
|
36
42
|
# @option options [Integer] :retries (5) Number of times to retry
|
37
43
|
# when retrieving credentials.
|
38
|
-
# @option options [String] :ip_address ('169.254.170.2')
|
39
|
-
#
|
44
|
+
# @option options [String] :ip_address ('169.254.170.2') This value is
|
45
|
+
# ignored if `endpoint` is set and `credential_path` is not set.
|
46
|
+
# @option options [Integer] :port (80) This value is ignored if `endpoint`
|
47
|
+
# is set and `credential_path` is not set.
|
40
48
|
# @option options [String] :credential_path By default, the value of the
|
41
49
|
# AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
|
50
|
+
# @option options [String] :endpoint The container credential endpoint.
|
51
|
+
# By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
|
52
|
+
# environment variable. This value is ignored if `credential_path` or
|
53
|
+
# ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
|
42
54
|
# @option options [Float] :http_open_timeout (5)
|
43
55
|
# @option options [Float] :http_read_timeout (5)
|
44
56
|
# @option options [Numeric, Proc] :delay By default, failures are retried
|
@@ -52,17 +64,14 @@ module Aws
|
|
52
64
|
# credentials are refreshed. `before_refresh` is called
|
53
65
|
# with an instance of this object when
|
54
66
|
# AWS credentials are required and need to be refreshed.
|
55
|
-
def initialize
|
67
|
+
def initialize(options = {})
|
68
|
+
credential_path = options[:credential_path] ||
|
69
|
+
ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
|
70
|
+
endpoint = options[:endpoint] ||
|
71
|
+
ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
|
72
|
+
initialize_uri(options, credential_path, endpoint)
|
73
|
+
|
56
74
|
@retries = options[:retries] || 5
|
57
|
-
@ip_address = options[:ip_address] || '169.254.170.2'
|
58
|
-
@port = options[:port] || 80
|
59
|
-
@credential_path = options[:credential_path]
|
60
|
-
@credential_path ||= ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']
|
61
|
-
unless @credential_path
|
62
|
-
raise ArgumentError.new(
|
63
|
-
"Cannot instantiate an ECS Credential Provider without a credential path."
|
64
|
-
)
|
65
|
-
end
|
66
75
|
@http_open_timeout = options[:http_open_timeout] || 5
|
67
76
|
@http_read_timeout = options[:http_read_timeout] || 5
|
68
77
|
@http_debug_output = options[:http_debug_output]
|
@@ -77,11 +86,95 @@ module Aws
|
|
77
86
|
|
78
87
|
private
|
79
88
|
|
89
|
+
def initialize_uri(options, credential_path, endpoint)
|
90
|
+
if credential_path
|
91
|
+
initialize_relative_uri(options, credential_path)
|
92
|
+
# Use FULL_URI/endpoint only if RELATIVE_URI/path is not set
|
93
|
+
elsif endpoint
|
94
|
+
initialize_full_uri(endpoint)
|
95
|
+
else
|
96
|
+
raise ArgumentError,
|
97
|
+
'Cannot instantiate an ECS Credential Provider '\
|
98
|
+
'without a credential path or endpoint.'
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
def initialize_relative_uri(options, path)
|
103
|
+
@host = options[:ip_address] || '169.254.170.2'
|
104
|
+
@port = options[:port] || 80
|
105
|
+
@scheme = 'http'
|
106
|
+
@credential_path = path
|
107
|
+
end
|
108
|
+
|
109
|
+
def initialize_full_uri(endpoint)
|
110
|
+
uri = URI.parse(endpoint)
|
111
|
+
validate_full_uri_scheme!(uri)
|
112
|
+
validate_full_uri!(uri)
|
113
|
+
@host = uri.hostname
|
114
|
+
@port = uri.port
|
115
|
+
@scheme = uri.scheme
|
116
|
+
@credential_path = uri.request_uri
|
117
|
+
end
|
118
|
+
|
119
|
+
def validate_full_uri_scheme!(full_uri)
|
120
|
+
return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
|
121
|
+
|
122
|
+
raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
|
123
|
+
end
|
124
|
+
|
125
|
+
# Validate that the full URI is using a loopback address if scheme is http.
|
126
|
+
def validate_full_uri!(full_uri)
|
127
|
+
return unless full_uri.scheme == 'http'
|
128
|
+
|
129
|
+
begin
|
130
|
+
return if valid_ip_address?(IPAddr.new(full_uri.host))
|
131
|
+
rescue IPAddr::InvalidAddressError
|
132
|
+
addresses = Resolv.getaddresses(full_uri.host)
|
133
|
+
return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
|
134
|
+
end
|
135
|
+
|
136
|
+
raise ArgumentError,
|
137
|
+
'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
|
138
|
+
'or an ECS or EKS link-local address when using the http scheme.'
|
139
|
+
end
|
140
|
+
|
141
|
+
def valid_ip_address?(ip_address)
|
142
|
+
ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
|
143
|
+
end
|
144
|
+
|
145
|
+
# loopback? method is available in Ruby 2.5+
|
146
|
+
# Replicate the logic here.
|
147
|
+
# loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
|
148
|
+
def ip_loopback?(ip_address)
|
149
|
+
case ip_address.family
|
150
|
+
when Socket::AF_INET
|
151
|
+
ip_address & 0xff000000 == 0x7f000000
|
152
|
+
when Socket::AF_INET6
|
153
|
+
ip_address == 1
|
154
|
+
else
|
155
|
+
false
|
156
|
+
end
|
157
|
+
end
|
158
|
+
|
159
|
+
# Verify that the IP address is a link-local address from ECS or EKS.
|
160
|
+
# ECS container host (IPv4 `169.254.170.2`)
|
161
|
+
# EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
|
162
|
+
def ecs_or_eks_ip?(ip_address)
|
163
|
+
case ip_address.family
|
164
|
+
when Socket::AF_INET
|
165
|
+
[0xa9feaa02, 0xa9feaa17].include?(ip_address)
|
166
|
+
when Socket::AF_INET6
|
167
|
+
ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
|
168
|
+
else
|
169
|
+
false
|
170
|
+
end
|
171
|
+
end
|
172
|
+
|
80
173
|
def backoff(backoff)
|
81
174
|
case backoff
|
82
175
|
when Proc then backoff
|
83
|
-
when Numeric then
|
84
|
-
else
|
176
|
+
when Numeric then ->(_) { sleep(backoff) }
|
177
|
+
else ->(num_failures) { Kernel.sleep(1.2**num_failures) }
|
85
178
|
end
|
86
179
|
end
|
87
180
|
|
@@ -89,68 +182,99 @@ module Aws
|
|
89
182
|
# Retry loading credentials up to 3 times is the instance metadata
|
90
183
|
# service is responding but is returning invalid JSON documents
|
91
184
|
# in response to the GET profile credentials call.
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
end
|
102
|
-
rescue Aws::Json::ParseError
|
103
|
-
raise Aws::Errors::MetadataParserError.new
|
185
|
+
|
186
|
+
retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
|
187
|
+
c = Aws::Json.load(get_credentials.to_s)
|
188
|
+
@credentials = Credentials.new(
|
189
|
+
c['AccessKeyId'],
|
190
|
+
c['SecretAccessKey'],
|
191
|
+
c['Token']
|
192
|
+
)
|
193
|
+
@expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
|
104
194
|
end
|
195
|
+
rescue Aws::Json::ParseError
|
196
|
+
raise Aws::Errors::MetadataParserError
|
105
197
|
end
|
106
198
|
|
107
199
|
def get_credentials
|
108
200
|
# Retry loading credentials a configurable number of times if
|
109
201
|
# the instance metadata service is not responding.
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
end
|
202
|
+
|
203
|
+
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
204
|
+
open_connection do |conn|
|
205
|
+
http_get(conn, @credential_path)
|
115
206
|
end
|
116
|
-
rescue
|
117
|
-
'{}'
|
118
207
|
end
|
208
|
+
rescue TokenFileReadError, InvalidTokenError
|
209
|
+
raise
|
210
|
+
rescue StandardError
|
211
|
+
'{}'
|
212
|
+
end
|
213
|
+
|
214
|
+
def fetch_authorization_token
|
215
|
+
if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
|
216
|
+
fetch_authorization_token_file(path)
|
217
|
+
elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
|
218
|
+
token
|
219
|
+
end
|
220
|
+
end
|
221
|
+
|
222
|
+
def fetch_authorization_token_file(path)
|
223
|
+
File.read(path).strip
|
224
|
+
rescue Errno::ENOENT
|
225
|
+
raise TokenFileReadError,
|
226
|
+
'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
|
227
|
+
"but the file doesn't exist: #{path}"
|
228
|
+
end
|
229
|
+
|
230
|
+
def validate_authorization_token!(token)
|
231
|
+
return unless token.include?("\r\n")
|
232
|
+
|
233
|
+
raise InvalidTokenError,
|
234
|
+
'Invalid Authorization token: token contains '\
|
235
|
+
'a newline and carriage return character.'
|
119
236
|
end
|
120
237
|
|
121
238
|
def open_connection
|
122
|
-
http = Net::HTTP.new(@
|
239
|
+
http = Net::HTTP.new(@host, @port, nil)
|
123
240
|
http.open_timeout = @http_open_timeout
|
124
241
|
http.read_timeout = @http_read_timeout
|
125
242
|
http.set_debug_output(@http_debug_output) if @http_debug_output
|
243
|
+
http.use_ssl = @scheme == 'https'
|
126
244
|
http.start
|
127
245
|
yield(http).tap { http.finish }
|
128
246
|
end
|
129
247
|
|
130
248
|
def http_get(connection, path)
|
131
|
-
|
132
|
-
|
133
|
-
|
134
|
-
|
135
|
-
|
249
|
+
request = Net::HTTP::Get.new(path)
|
250
|
+
set_authorization_token(request)
|
251
|
+
response = connection.request(request)
|
252
|
+
raise Non200Response unless response.code.to_i == 200
|
253
|
+
|
254
|
+
response.body
|
255
|
+
end
|
256
|
+
|
257
|
+
def set_authorization_token(request)
|
258
|
+
if (authorization_token = fetch_authorization_token)
|
259
|
+
validate_authorization_token!(authorization_token)
|
260
|
+
request['Authorization'] = authorization_token
|
136
261
|
end
|
137
262
|
end
|
138
263
|
|
139
|
-
def retry_errors(error_classes, options = {}
|
264
|
+
def retry_errors(error_classes, options = {})
|
140
265
|
max_retries = options[:max_retries]
|
141
266
|
retries = 0
|
142
267
|
begin
|
143
268
|
yield
|
144
|
-
rescue
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
151
|
-
|
269
|
+
rescue TokenFileReadError, InvalidTokenError
|
270
|
+
raise
|
271
|
+
rescue *error_classes => _e
|
272
|
+
raise unless retries < max_retries
|
273
|
+
|
274
|
+
@backoff.call(retries)
|
275
|
+
retries += 1
|
276
|
+
retry
|
152
277
|
end
|
153
278
|
end
|
154
|
-
|
155
279
|
end
|
156
280
|
end
|
@@ -2,6 +2,11 @@
|
|
2
2
|
|
3
3
|
module Aws
|
4
4
|
module Endpoints
|
5
|
+
# This class is deprecated. It is used by the Runtime endpoint
|
6
|
+
# resolution approach. It has been replaced by a code generated
|
7
|
+
# approach in each service gem. It can be removed in a new
|
8
|
+
# major version. It has to exist because
|
9
|
+
# old service gems can use a new core version.
|
5
10
|
# @api private
|
6
11
|
class Condition
|
7
12
|
def initialize(fn:, argv:, assign: nil)
|
@@ -2,7 +2,11 @@
|
|
2
2
|
|
3
3
|
module Aws
|
4
4
|
module Endpoints
|
5
|
-
#
|
5
|
+
# This class is deprecated. It is used by the Runtime endpoint
|
6
|
+
# resolution approach. It has been replaced by a code generated
|
7
|
+
# approach in each service gem. It can be removed in a new
|
8
|
+
# major version. It has to exist because
|
9
|
+
# old service gems can use a new core version. # @api private
|
6
10
|
class EndpointRule < Rule
|
7
11
|
def initialize(type: 'endpoint', conditions:, endpoint:,
|
8
12
|
documentation: nil)
|