aws-sdk-core 3.181.0 → 3.190.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 146ac9f16fcd2580c959c58a93c911c2fb023caea3d9113fa29da22e85627eaf
-  data.tar.gz: f33db208ab8d3cac7a8f96d4c7e8c8609ca48b4a01c5db136c5210cbe70f8ca2
+  metadata.gz: 2da64972b1ed2710a16962a58908df05a60490439c44bf21e4c9482fef4856c8
+  data.tar.gz: 54aa4de531c85e2d44549a9f984b4074c4728be61b807b57ba3633a69e17fd1c
 SHA512:
-  metadata.gz: 5074b88e182acdfb8ef77a11e72bd3a23b737f124103e213d95fd2e09d59e93364da10ca99f7b2c7d8ec4754bcff474480c8ba301f313bebf66e08e4f91bb5b9
-  data.tar.gz: 7d6e5a2a1442fd5c926b6f691d505eaf830e47ef9eac5a6f9f984f8d9bedeb161bf5dfada064b67baab61c9c8c4772bcfbacaaa1d75ddafd283ba6b87e5db8a9
+  metadata.gz: 546c523ec0f9324ee3c3ea4fbe4d1a060204b159ce91bda217f4b390c2ca4255a06b8e4580b84f2459d5b5ad1d6cdb75317da96efbcfa119d4ff6308645ace7f
+  data.tar.gz: f663e1491935bc5376af8246b33281a278fd07f40c5309b0c4731e93dbd456156ac4359a24768b3fa87530dc4fa94d8b03b4e7c56fd4ccb6337b76e3aff83678

data/CHANGELOG.md

@@ -1,6 +1,90 @@
 Unreleased Changes
 ------------------
 
+3.190.0 (2023-11-29)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.189.0 (2023-11-28)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support S3 Express authentication.
+
+3.188.0 (2023-11-22)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.3 and 2.4.
+
+* Feature - Support `AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE` in `ECSCredentials` and also allow for ECS and EKS link-local http addresses.
+
+3.187.1 (2023-11-20)
+------------------
+
+* Issue - For `awsQueryCompatible` services, default an empty list or map for shapes that were previously flattened in the query protocol.
+
+3.187.0 (2023-11-17)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+3.186.0 (2023-11-02)
+------------------
+
+* Feature - Support disabling IMDSv1 in `InstanceProfileCredentials` using `ENV['AWS_EC2_METADATA_V1_DISABLED']`, `ec2_metadata_v1_disabled` shared config, or the `disable_imds_v1` credentials option.
+
+3.185.2 (2023-10-31)
+------------------
+
+* Issue - Fix query string support to lists of booleans, floats, integers and timestamps per rest-json protocol.
+
+3.185.1 (2023-10-05)
+------------------
+
+* Issue - Ignore `__type` when deserializing Unions.
+
+3.185.0 (2023-10-02)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.184.0 (2023-09-27)
+------------------
+
+* Feature - Change the `ServiceError` data member from read only to read/write.
+
+3.183.1 (2023-09-25)
+------------------
+
+* Issue - Remove value inspection from param validation errors.
+
+3.183.0 (2023-09-20)
+------------------
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+3.182.0 (2023-09-19)
+------------------
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.181.1 (2023-09-14)
+------------------
+
+* Issue - Fix host label validation in endpoint matchers.
+
 3.181.0 (2023-08-22)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.181.0
+3.190.0

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -6,7 +6,7 @@ require 'resolv'
 
 module Aws
   # An auto-refreshing credential provider that loads credentials from
-  # instances running in ECS.
+  # instances running in containers.
   #
   #     ecs_credentials = Aws::ECSCredentials.new(retries: 3)
   #     ec2 = Aws::EC2::Client.new(credentials: ecs_credentials)
@@ -17,6 +17,12 @@ module Aws
     # @api private
     class Non200Response < RuntimeError; end
 
+    # Raised when the token file cannot be read.
+    class TokenFileReadError < RuntimeError; end
+
+    # Raised when the token file is invalid.
+    class InvalidTokenError < RuntimeError; end
+
     # These are the errors we trap when attempting to talk to the
     # instance metadata service.  Any of these imply the service
     # is not present, no responding or some other non-recoverable
@@ -41,7 +47,7 @@ module Aws
     #   is set and `credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
     #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
-    # @option options [String] :endpoint The ECS credential endpoint.
+    # @option options [String] :endpoint The container credential endpoint.
     #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
     #   environment variable. This value is ignored if `credential_path` or
     #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
@@ -64,7 +70,6 @@ module Aws
       endpoint = options[:endpoint] ||
                  ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
       initialize_uri(options, credential_path, endpoint)
-      @authorization_token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN']
 
       @retries = options[:retries] || 5
       @http_open_timeout = options[:http_open_timeout] || 5
@@ -103,11 +108,18 @@ module Aws
 
     def initialize_full_uri(endpoint)
       uri = URI.parse(endpoint)
+      validate_full_uri_scheme!(uri)
       validate_full_uri!(uri)
-      @host = uri.host
+      @host = uri.hostname
       @port = uri.port
       @scheme = uri.scheme
-      @credential_path = uri.path
+      @credential_path = uri.request_uri
+    end
+
+    def validate_full_uri_scheme!(full_uri)
+      return if full_uri.is_a?(URI::HTTP) || full_uri.is_a?(URI::HTTPS)
+
+      raise ArgumentError, "'#{full_uri}' must be a valid HTTP or HTTPS URI"
     end
 
     # Validate that the full URI is using a loopback address if scheme is http.
@@ -115,19 +127,24 @@ module Aws
       return unless full_uri.scheme == 'http'
 
       begin
-        return if ip_loopback?(IPAddr.new(full_uri.host))
+        return if valid_ip_address?(IPAddr.new(full_uri.host))
       rescue IPAddr::InvalidAddressError
         addresses = Resolv.getaddresses(full_uri.host)
-        return if addresses.all? { |addr| ip_loopback?(IPAddr.new(addr)) }
+        return if addresses.all? { |addr| valid_ip_address?(IPAddr.new(addr)) }
       end
 
       raise ArgumentError,
-            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a loopback '\
-            'address when using the http scheme.'
+            'AWS_CONTAINER_CREDENTIALS_FULL_URI must use a local loopback '\
+            'or an ECS or EKS link-local address when using the http scheme.'
+    end
+
+    def valid_ip_address?(ip_address)
+      ip_loopback?(ip_address) || ecs_or_eks_ip?(ip_address)
     end
 
     # loopback? method is available in Ruby 2.5+
     # Replicate the logic here.
+    # loopback (IPv4 127.0.0.0/8, IPv6 ::1/128)
     def ip_loopback?(ip_address)
       case ip_address.family
       when Socket::AF_INET
@@ -139,6 +156,20 @@ module Aws
       end
     end
 
+    # Verify that the IP address is a link-local address from ECS or EKS.
+    # ECS container host (IPv4 `169.254.170.2`)
+    # EKS container host (IPv4 `169.254.170.23`, IPv6 `fd00:ec2::23`)
+    def ecs_or_eks_ip?(ip_address)
+      case ip_address.family
+      when Socket::AF_INET
+        [0xa9feaa02, 0xa9feaa17].include?(ip_address)
+      when Socket::AF_INET6
+        ip_address == 0xfd00_0ec2_0000_0000_0000_0000_0000_0023
+      else
+        false
+      end
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
@@ -174,10 +205,36 @@ module Aws
           http_get(conn, @credential_path)
         end
       end
+    rescue TokenFileReadError, InvalidTokenError
+      raise
     rescue StandardError
       '{}'
     end
 
+    def fetch_authorization_token
+      if (path = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE'])
+        fetch_authorization_token_file(path)
+      elsif (token = ENV['AWS_CONTAINER_AUTHORIZATION_TOKEN'])
+        token
+      end
+    end
+
+    def fetch_authorization_token_file(path)
+      File.read(path).strip
+    rescue Errno::ENOENT
+      raise TokenFileReadError,
+            'AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE is set '\
+            "but the file doesn't exist: #{path}"
+    end
+
+    def validate_authorization_token!(token)
+      return unless token.include?("\r\n")
+
+      raise InvalidTokenError,
+            'Invalid Authorization token: token contains '\
+            'a newline and carriage return character.'
+    end
+
     def open_connection
       http = Net::HTTP.new(@host, @port, nil)
       http.open_timeout = @http_open_timeout
@@ -190,18 +247,27 @@ module Aws
 
     def http_get(connection, path)
       request = Net::HTTP::Get.new(path)
-      request['Authorization'] = @authorization_token if @authorization_token
+      set_authorization_token(request)
       response = connection.request(request)
       raise Non200Response unless response.code.to_i == 200
 
       response.body
     end
 
+    def set_authorization_token(request)
+      if (authorization_token = fetch_authorization_token)
+        validate_authorization_token!(authorization_token)
+        request['Authorization'] = authorization_token
+      end
+    end
+
     def retry_errors(error_classes, options = {})
       max_retries = options[:max_retries]
       retries = 0
       begin
         yield
+      rescue TokenFileReadError, InvalidTokenError
+        raise
       rescue *error_classes => _e
         raise unless retries < max_retries
 

data/lib/aws-sdk-core/endpoints/matchers.rb

@@ -79,11 +79,11 @@ module Aws
         return false if value.empty?
 
         if allow_sub_domains
-          labels = value.split('.')
+          labels = value.split('.', -1)
           return labels.all? { |l| valid_host_label?(l) }
         end
 
-        value =~ /\A(?!-)[a-zA-Z0-9-]{1,63}(?<!-)\z/
+        !!(value =~ /\A(?!-)[a-zA-Z0-9-]{1,63}(?<!-)\z/)
       end
 
       # AWS
@@ -114,13 +114,17 @@ module Aws
 
       # aws.isVirtualHostableS3Bucket(value: string, allowSubDomains: bool) bool
       def self.aws_virtual_hostable_s3_bucket?(value, allow_sub_domains = false)
-        !!(value.size < 64 &&
-          # regular naming rules
-          value =~ /^[a-z0-9][a-z0-9\-#{'.' if allow_sub_domains}]+[a-z0-9]$/ &&
-          # not IP address
-          value !~ /(\d+\.){3}\d+/ &&
-          # no dash and hyphen together
-          value !~ /[.-]{2}/)
+        return false if value.empty?
+
+        if allow_sub_domains
+          labels = value.split('.', -1)
+          return labels.all? { |l| aws_virtual_hostable_s3_bucket?(l) }
+        end
+
+        # must be between 3 and 63 characters long, no uppercase
+        value =~ /\A(?!-)[a-z0-9-]{3,63}(?<!-)\z/ &&
+          # not an IP address
+          value !~ /(\d+\.){3}\d+/
       end
     end
   end

data/lib/aws-sdk-core/endpoints.rb

@@ -53,7 +53,7 @@ module Aws
       end
 
       def merge_signing_defaults(auth_scheme, config)
-        if %w[sigv4 sigv4a].include?(auth_scheme['name'])
+        if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
           auth_scheme['signingName'] ||= sigv4_name(config)
           if auth_scheme['name'] == 'sigv4a'
             auth_scheme['signingRegionSet'] ||= ['*']

data/lib/aws-sdk-core/errors.rb

@@ -30,7 +30,7 @@ module Aws
       attr_reader :context
 
       # @return [Aws::Structure]
-      attr_reader :data
+      attr_accessor :data
 
       class << self
 

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -53,6 +53,8 @@ module Aws
     # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
     #   the instance metadata service. This is either 'IPv4' ('169.254.169.254')
     #   or 'IPv6' ('[fd00:ec2::254]').
+    # @option options [Boolean] :disable_imds_v1 (false) Disable the use of the
+    #  legacy EC2 Metadata Service v1.
     # @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
     #   :endpoint instead. The IP address for the endpoint.
     # @option options [Integer] :port (80)
@@ -77,6 +79,9 @@ module Aws
       endpoint_mode = resolve_endpoint_mode(options)
       @endpoint = resolve_endpoint(options, endpoint_mode)
       @port = options[:port] || 80
+      @disable_imds_v1 = resolve_disable_v1(options)
+      # Flag for if v2 flow fails, skip future attempts
+      @imds_v1_fallback = false
       @http_open_timeout = options[:http_open_timeout] || 1
       @http_read_timeout = options[:http_read_timeout] || 1
       @http_debug_output = options[:http_debug_output]
@@ -123,6 +128,16 @@ module Aws
       end
     end
 
+    def resolve_disable_v1(options)
+      value = options[:disable_imds_v1]
+      value ||= ENV['AWS_EC2_METADATA_V1_DISABLED']
+      value ||= Aws.shared_config.ec2_metadata_v1_disabled(
+        profile: options[:profile]
+      )
+      value = value.to_s.downcase if value
+      Aws::Util.str_2_bool(value) || false
+    end
+
     def backoff(backoff)
       case backoff
       when Proc then backoff
@@ -141,7 +156,7 @@ module Aws
       # service is responding but is returning invalid JSON documents
       # in response to the GET profile credentials call.
       begin
-        retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
+        retry_errors([Aws::Json::ParseError], max_retries: 3) do
           c = Aws::Json.load(get_credentials.to_s)
           if empty_credentials?(@credentials)
             @credentials = Credentials.new(
@@ -173,7 +188,6 @@ module Aws
               end
             end
           end
-
         end
       rescue Aws::Json::ParseError
         raise Aws::Errors::MetadataParserError
@@ -191,34 +205,14 @@ module Aws
             open_connection do |conn|
               # attempt to fetch token to start secure flow first
               # and rescue to failover
-              begin
-                retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-                  unless token_set?
-                    created_time = Time.now
-                    token_value, ttl = http_put(
-                      conn, METADATA_TOKEN_PATH, @token_ttl
-                    )
-                    @token = Token.new(token_value, ttl, created_time) if token_value && ttl
-                  end
-                end
-              rescue *NETWORK_ERRORS
-                # token attempt failed, reset token
-                # fallback to non-token mode
-                @token = nil
-              end
-
+              fetch_token(conn) unless @imds_v1_fallback
               token = @token.value if token_set?
 
-              begin
-                metadata = http_get(conn, METADATA_PATH_BASE, token)
-                profile_name = metadata.lines.first.strip
-                http_get(conn, METADATA_PATH_BASE + profile_name, token)
-              rescue TokenExpiredError
-                # Token has expired, reset it
-                # The next retry should fetch it
-                @token = nil
-                raise Non200Response
-              end
+              # disable insecure flow if we couldn't get token
+              # and imds v1 is disabled
+              raise TokenRetrivalError if token.nil? && @disable_imds_v1
+
+              _get_credentials(conn, token)
             end
           end
         rescue
@@ -227,6 +221,36 @@ module Aws
       end
     end
 
+    def fetch_token(conn)
+      retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+        unless token_set?
+          created_time = Time.now
+          token_value, ttl = http_put(
+            conn, METADATA_TOKEN_PATH, @token_ttl
+          )
+          @token = Token.new(token_value, ttl, created_time) if token_value && ttl
+        end
+      end
+    rescue *NETWORK_ERRORS
+      # token attempt failed, reset token
+      # fallback to non-token mode
+      @token = nil
+      @imds_v1_fallback = true
+    end
+
+    # token is optional - if nil, uses v1 (insecure) flow
+    def _get_credentials(conn, token)
+      metadata = http_get(conn, METADATA_PATH_BASE, token)
+      profile_name = metadata.lines.first.strip
+      http_get(conn, METADATA_PATH_BASE + profile_name, token)
+    rescue TokenExpiredError
+      # Token has expired, reset it
+      # The next retry should fetch it
+      @token = nil
+      @imds_v1_fallback = false
+      raise Non200Response
+    end
+
     def token_set?
       @token && !@token.expired?
     end
@@ -276,8 +300,6 @@ module Aws
         ]
       when 400
         raise TokenRetrivalError
-      when 401
-        raise TokenExpiredError
       else
         raise Non200Response
       end

data/lib/aws-sdk-core/json/handler.rb

@@ -59,7 +59,10 @@ module Aws
             end
             resp_struct
           else
-            Parser.new(rules).parse(json == '' ? '{}' : json)
+            Parser.new(
+              rules,
+              query_compatible: query_compatible?(context)
+            ).parse(json == '' ? '{}' : json)
           end
         else
           EmptyStructure.new
@@ -83,6 +86,10 @@ module Aws
         context.config.simple_json
       end
 
+      def query_compatible?(context)
+        context.config.api.metadata.key?('awsQueryCompatible')
+      end
+
     end
   end
 end

data/lib/aws-sdk-core/json/parser.rb

@@ -10,8 +10,9 @@ module Aws
       include Seahorse::Model::Shapes
 
       # @param [Seahorse::Model::ShapeRef] rules
-      def initialize(rules)
+      def initialize(rules, query_compatible: false)
         @rules = rules
+        @query_compatible = query_compatible
       end
 
       # @param [String<JSON>] json
@@ -28,10 +29,26 @@ module Aws
           member_name, member_ref = shape.member_by_location_name(key)
           if member_ref
             target[member_name] = parse_ref(member_ref, value)
-          elsif shape.union
+          elsif shape.union && key != '__type'
             target[:unknown] = { 'name' => key, 'value' => value }
           end
         end
+        # In services that were previously Query/XML, members that were
+        # "flattened" defaulted to empty lists. In JSON, these values are nil,
+        # which is backwards incompatible. To preserve backwards compatibility,
+        # we set a default value of [] for these members.
+        if @query_compatible
+          ref.shape.members.each do |member_name, member_target|
+            next unless target[member_name].nil?
+
+            if flattened_list?(member_target.shape)
+              target[member_name] = []
+            elsif flattened_map?(member_target.shape)
+              target[member_name] = {}
+            end
+          end
+        end
+
         if shape.union
           # convert to subclass
           member_subclass = shape.member_subclass(target.member).new
@@ -79,6 +96,14 @@ module Aws
         value.is_a?(Numeric) ? Time.at(value) : Time.parse(value)
       end
 
+      def flattened_list?(shape)
+        shape.is_a?(ListShape) && shape.flattened
+      end
+
+      def flattened_map?(shape)
+        shape.is_a?(MapShape) && shape.flattened
+      end
+
     end
   end
 end

data/lib/aws-sdk-core/param_validator.rb

@@ -6,7 +6,7 @@ module Aws
 
     include Seahorse::Model::Shapes
 
-    EXPECTED_GOT = "expected %s to be %s, got value %s (class: %s) instead."
+    EXPECTED_GOT = 'expected %s to be %s, got class %s instead.'
 
     # @param [Seahorse::Model::Shapes::ShapeRef] rules
     # @param [Hash] params
@@ -230,7 +230,7 @@ module Aws
     end
 
     def expected_got(context, expected, got)
-      EXPECTED_GOT % [context, expected, got.inspect, got.class.name]
+      EXPECTED_GOT % [context, expected, got.class.name]
     end
 
   end

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -117,7 +117,8 @@ module Aws
 
         def call(context)
           if should_calculate_request_checksum?(context)
-            request_algorithm_input = ChecksumAlgorithm.request_algorithm_selection(context)
+            request_algorithm_input = ChecksumAlgorithm.request_algorithm_selection(context) ||
+                                      context[:default_request_checksum_algorithm]
             context[:checksum_algorithms] = request_algorithm_input
 
             request_checksum_property = {
@@ -140,7 +141,8 @@ module Aws
 
         def should_calculate_request_checksum?(context)
           context.operation.http_checksum &&
-            ChecksumAlgorithm.request_algorithm_selection(context)
+            (ChecksumAlgorithm.request_algorithm_selection(context) ||
+              context[:default_request_checksum_algorithm])
         end
 
         def should_verify_response_checksum?(context)

data/lib/aws-sdk-core/plugins/http_checksum.rb

@@ -12,7 +12,8 @@ module Aws
 
         def call(context)
           if checksum_required?(context) &&
-             !context[:checksum_algorithms] # skip in favor of flexible checksum
+             !context[:checksum_algorithms] && # skip in favor of flexible checksum
+             !context[:s3_express_endpoint] # s3 express endpoints do not support md5
             body = context.http_request.body
             context.http_request.headers['Content-Md5'] ||= md5(body)
           end

data/lib/aws-sdk-core/plugins/sign.rb

@@ -13,7 +13,7 @@ module Aws
       option(:sigv4_region)
       option(:unsigned_operations, default: [])
 
-      supported_auth_types = %w[sigv4 bearer none]
+      supported_auth_types = %w[sigv4 bearer sigv4-s3express none]
       supported_auth_types += ['sigv4a'] if Aws::Sigv4::Signer.use_crt?
       SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
 
@@ -24,10 +24,14 @@ module Aws
 
       # @api private
       # Return a signer with the `sign(context)` method
-      def self.signer_for(auth_scheme, config, region_override = nil)
+      def self.signer_for(auth_scheme, config, sigv4_region_override = nil, sigv4_credentials_override = nil)
         case auth_scheme['name']
-        when 'sigv4', 'sigv4a'
-          SignatureV4.new(auth_scheme, config, region_override)
+        when 'sigv4', 'sigv4a', 'sigv4-s3express'
+          sigv4_overrides = {
+            region: sigv4_region_override,
+            credentials: sigv4_credentials_override
+          }
+          SignatureV4.new(auth_scheme, config, sigv4_overrides)
         when 'bearer'
           Bearer.new
         else
@@ -42,7 +46,8 @@ module Aws
             signer = Sign.signer_for(
               context[:auth_scheme],
               context.config,
-              context[:sigv4_region]
+              context[:sigv4_region],
+              context[:sigv4_credentials]
             )
             signer.sign(context)
           end
@@ -88,12 +93,12 @@ module Aws
 
       # @api private
       class SignatureV4
-        def initialize(auth_scheme, config, region_override = nil)
+        def initialize(auth_scheme, config, sigv4_overrides = {})
           scheme_name = auth_scheme['name']
 
-          unless %w[sigv4 sigv4a].include?(scheme_name)
+          unless %w[sigv4 sigv4a sigv4-s3express].include?(scheme_name)
             raise ArgumentError,
-                  "Expected sigv4 or sigv4a auth scheme, got #{scheme_name}"
+                  "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
           end
 
           region = if scheme_name == 'sigv4a'
@@ -104,8 +109,8 @@ module Aws
           begin
             @signer = Aws::Sigv4::Signer.new(
               service: config.sigv4_name || auth_scheme['signingName'],
-              region: region_override || config.sigv4_region || region,
-              credentials_provider: config.credentials,
+              region: sigv4_overrides[:region] || config.sigv4_region || region,
+              credentials_provider: sigv4_overrides[:credentials] || config.credentials,
               signing_algorithm: scheme_name.to_sym,
               uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
               normalize_path: !!!auth_scheme['disableNormalizePath'],