aws-sdk-core 3.185.1 → 3.214.0

data/lib/aws-sdk-sts/types.rb

@@ -26,10 +26,21 @@ module Aws::STS
     #   that use the temporary security credentials will expose the role
     #   session name to the external account in their CloudTrail logs.
     #
+    #   For security purposes, administrators can view this field in
+    #   [CloudTrail logs][1] to help identify who performed an action in
+    #   Amazon Web Services. Your administrator might require that you
+    #   specify your user name as the session name when you assume the role.
+    #   For more information, see [ `sts:RoleSessionName` ][2].
+    #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
     #   @return [String]
     #
     # @!attribute [rw] policy_arns
@@ -101,6 +112,9 @@ module Aws::STS
     #
     #    </note>
     #
+    #   For more information about role session permissions, see [Session
+    #   policies][1].
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
@@ -125,8 +139,7 @@ module Aws::STS
     #   However, if you assume a role using role chaining and provide a
     #   `DurationSeconds` parameter value greater than one hour, the
     #   operation fails. To learn how to view the maximum value for your
-    #   role, see [View the Maximum Session Duration Setting for a Role][1]
-    #   in the *IAM User Guide*.
+    #   role, see [Update the maximum session duration for a role][1].
     #
     #   By default, the value is set to `3600` seconds.
     #
@@ -142,7 +155,7 @@ module Aws::STS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #   @return [Integer]
     #
@@ -199,9 +212,8 @@ module Aws::STS
     #   passes to subsequent sessions in a role chain. For more information,
     #   see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
     #
-    #   This parameter is optional. When you set session tags as transitive,
-    #   the session policy and session tags packed binary limit is not
-    #   affected.
+    #   This parameter is optional. The transitive status of a session tag
+    #   does not impact its packed binary size.
     #
     #   If you choose not to specify a transitive tag key, then no tags are
     #   passed from this session to any subsequent sessions.
@@ -263,17 +275,18 @@ module Aws::STS
     #
     # @!attribute [rw] source_identity
     #   The source identity specified by the principal that is calling the
-    #   `AssumeRole` operation.
+    #   `AssumeRole` operation. The source identity value persists across
+    #   [chained role][1] sessions.
     #
     #   You can require users to specify a source identity when they assume
-    #   a role. You do this by using the `sts:SourceIdentity` condition key
-    #   in a role trust policy. You can use source identity information in
-    #   CloudTrail logs to determine who took actions with a role. You can
-    #   use the `aws:SourceIdentity` condition key to further control access
-    #   to Amazon Web Services resources based on the value of source
-    #   identity. For more information about using source identity, see
-    #   [Monitor and control actions taken with assumed roles][1] in the
-    #   *IAM User Guide*.
+    #   a role. You do this by using the [ `sts:SourceIdentity` ][2]
+    #   condition key in a role trust policy. You can use source identity
+    #   information in CloudTrail logs to determine who took actions with a
+    #   role. You can use the `aws:SourceIdentity` condition key to further
+    #   control access to Amazon Web Services resources based on the value
+    #   of source identity. For more information about using source
+    #   identity, see [Monitor and control actions taken with assumed
+    #   roles][3] in the *IAM User Guide*.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
@@ -284,11 +297,22 @@ module Aws::STS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
     #   @return [String]
     #
     # @!attribute [rw] provided_contexts
-    #   Reserved for future use.
+    #   A list of previously acquired trusted context assertions in the
+    #   format of a JSON array. The trusted context assertion is signed and
+    #   encrypted by Amazon Web Services STS.
+    #
+    #   The following is an example of a `ProvidedContext` value that
+    #   includes a single trusted context assertion and the ARN of the
+    #   context provider from which the trusted context assertion was
+    #   generated.
+    #
+    #   `[{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]`
     #   @return [Array<Types::ProvidedContext>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
@@ -456,6 +480,9 @@ module Aws::STS
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
+    #   For more information about role session permissions, see [Session
+    #   policies][1].
+    #
     #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
     #   session policy, managed policy ARNs, and session tags into a packed
     #   binary format that has a separate limit. Your request can fail for
@@ -591,6 +618,8 @@ module Aws::STS
     #
     # @!attribute [rw] source_identity
     #   The value in the `SourceIdentity` attribute in the SAML assertion.
+    #   The source identity value persists across [chained role][1]
+    #   sessions.
     #
     #   You can require users to set a source identity value when they
     #   assume a role. You do this by using the `sts:SourceIdentity`
@@ -598,12 +627,12 @@ module Aws::STS
     #   taken with the role are associated with that user. After the source
     #   identity is set, the value cannot be changed. It is present in the
     #   request for all actions that are taken by the role and persists
-    #   across [chained role][1] sessions. You can configure your SAML
+    #   across [chained role][2] sessions. You can configure your SAML
     #   identity provider to use an attribute associated with your users,
     #   like user name or email, as the source identity when calling
     #   `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
     #   assertion. For more information about using source identity, see
-    #   [Monitor and control actions taken with assumed roles][2] in the
+    #   [Monitor and control actions taken with assumed roles][3] in the
     #   *IAM User Guide*.
     #
     #   The regex used to validate this parameter is a string of characters
@@ -613,8 +642,9 @@ module Aws::STS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
-    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
@@ -636,6 +666,24 @@ module Aws::STS
     # @!attribute [rw] role_arn
     #   The Amazon Resource Name (ARN) of the role that the caller is
     #   assuming.
+    #
+    #   <note markdown="1"> Additional considerations apply to Amazon Cognito identity pools
+    #   that assume [cross-account IAM roles][1]. The trust policies of
+    #   these roles must accept the `cognito-identity.amazonaws.com` service
+    #   principal and must contain the `cognito-identity.amazonaws.com:aud`
+    #   condition key to restrict role assumption to users from your
+    #   intended identity pools. A policy that trusts Amazon Cognito
+    #   identity pools without this condition creates a risk that a user
+    #   from an unintended identity pool can assume the role. For more
+    #   information, see [ Trust policies for IAM roles in Basic (Classic)
+    #   authentication ][2] in the *Amazon Cognito Developer Guide*.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
     #   @return [String]
     #
     # @!attribute [rw] role_session_name
@@ -646,10 +694,21 @@ module Aws::STS
     #   session name is included as part of the ARN and assumed role ID in
     #   the `AssumedRoleUser` response element.
     #
+    #   For security purposes, administrators can view this field in
+    #   [CloudTrail logs][1] to help identify who performed an action in
+    #   Amazon Web Services. Your administrator might require that you
+    #   specify your user name as the session name when you assume the role.
+    #   For more information, see [ `sts:RoleSessionName` ][2].
+    #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
     #   @return [String]
     #
     # @!attribute [rw] web_identity_token
@@ -657,8 +716,9 @@ module Aws::STS
     #   provided by the identity provider. Your application must get this
     #   token by authenticating the user who is using your application with
     #   a web identity provider before the application makes an
-    #   `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
-    #   (RS256) are supported.
+    #   `AssumeRoleWithWebIdentity` call. Timestamps in the token must be
+    #   formatted as either an integer or a long integer. Only tokens with
+    #   RSA algorithms (RS256) are supported.
     #   @return [String]
     #
     # @!attribute [rw] provider_id
@@ -732,6 +792,9 @@ module Aws::STS
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
+    #   For more information about role session permissions, see [Session
+    #   policies][1].
+    #
     #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
     #   session policy, managed policy ARNs, and session tags into a packed
     #   binary format that has a separate limit. Your request can fail for
@@ -872,7 +935,7 @@ module Aws::STS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
     #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
     #   @return [String]
@@ -891,6 +954,94 @@ module Aws::STS
       include Aws::Structure
     end
 
+    # @!attribute [rw] target_principal
+    #   The member account principal ARN or account ID.
+    #   @return [String]
+    #
+    # @!attribute [rw] task_policy_arn
+    #   The identity based policy that scopes the session to the privileged
+    #   tasks that can be performed. You can use one of following Amazon Web
+    #   Services managed policies to scope root session actions. You can add
+    #   additional customer managed policies to further limit the
+    #   permissions for the root session.
+    #
+    #   * [IAMAuditRootUserCredentials][1]
+    #
+    #   * [IAMCreateRootUserPassword][2]
+    #
+    #   * [IAMDeleteRootUserCredentials][3]
+    #
+    #   * [S3UnlockBucketPolicy][4]
+    #
+    #   * [SQSUnlockQueuePolicy][5]
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
+    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
+    #   @return [Types::PolicyDescriptorType]
+    #
+    # @!attribute [rw] duration_seconds
+    #   The duration, in seconds, of the privileged session. The value can
+    #   range from 0 seconds up to the maximum session duration of 900
+    #   seconds (15 minutes). If you specify a value higher than this
+    #   setting, the operation fails.
+    #
+    #   By default, the value is set to `900` seconds.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootRequest AWS API Documentation
+    #
+    class AssumeRootRequest < Struct.new(
+      :target_principal,
+      :task_policy_arn,
+      :duration_seconds)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] credentials
+    #   The temporary security credentials, which include an access key ID,
+    #   a secret access key, and a security token.
+    #
+    #   <note markdown="1"> The size of the security token that STS API operations return is not
+    #   fixed. We strongly recommend that you make no assumptions about the
+    #   maximum size.
+    #
+    #    </note>
+    #   @return [Types::Credentials]
+    #
+    # @!attribute [rw] source_identity
+    #   The source identity specified by the principal that is calling the
+    #   `AssumeRoot` operation.
+    #
+    #   You can use the `aws:SourceIdentity` condition key to control access
+    #   based on the value of source identity. For more information about
+    #   using source identity, see [Monitor and control actions taken with
+    #   assumed roles][1] in the *IAM User Guide*.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootResponse AWS API Documentation
+    #
+    class AssumeRootResponse < Struct.new(
+      :credentials,
+      :source_identity)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The identifiers for the temporary security credentials that the
     # operation returns.
     #
@@ -1410,7 +1561,8 @@ module Aws::STS
 
     # The error returned if the message passed to
     # `DecodeAuthorizationMessage` was invalid. This can happen if the token
-    # contains invalid characters, such as linebreaks.
+    # contains invalid characters, such as line breaks, or if the message
+    # has expired.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1503,14 +1655,19 @@ module Aws::STS
       include Aws::Structure
     end
 
-    # Reserved for future use.
+    # Contains information about the provided context. This includes the
+    # signed and encrypted trusted context assertion and the context
+    # provider ARN from which the trusted context assertion was generated.
     #
     # @!attribute [rw] provider_arn
-    #   Reserved for future use.
+    #   The context provider ARN from which the trusted context assertion
+    #   was generated.
     #   @return [String]
     #
     # @!attribute [rw] context_assertion
-    #   Reserved for future use.
+    #   The signed and encrypted trusted context assertion generated by the
+    #   context provider. The trusted context assertion is signed and
+    #   encrypted by Amazon Web Services STS.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/ProvidedContext AWS API Documentation
@@ -1525,8 +1682,8 @@ module Aws::STS
     # STS is not activated in the requested region for the account that is
     # being asked to generate credentials. The account administrator must
     # use the IAM console to activate STS in that region. For more
-    # information, see [Activating and Deactivating Amazon Web Services STS
-    # in an Amazon Web Services Region][1] in the *IAM User Guide*.
+    # information, see [Activating and Deactivating STS in an Amazon Web
+    # Services Region][1] in the *IAM User Guide*.
     #
     #
     #
@@ -1588,3 +1745,4 @@ module Aws::STS
 
   end
 end
+

data/lib/aws-sdk-sts.rb

@@ -13,16 +13,7 @@ unless Module.const_defined?(:Aws)
   require 'aws-sigv4'
 end
 
-require_relative 'aws-sdk-sts/types'
-require_relative 'aws-sdk-sts/client_api'
-require_relative 'aws-sdk-sts/plugins/endpoints.rb'
-require_relative 'aws-sdk-sts/client'
-require_relative 'aws-sdk-sts/errors'
-require_relative 'aws-sdk-sts/resource'
-require_relative 'aws-sdk-sts/endpoint_parameters'
-require_relative 'aws-sdk-sts/endpoint_provider'
-require_relative 'aws-sdk-sts/endpoints'
-require_relative 'aws-sdk-sts/customizations'
+Aws::Plugins::GlobalConfiguration.add_identifier(:sts)
 
 # This module provides support for AWS Security Token Service. This module is available in the
 # `aws-sdk-core` gem.
@@ -53,7 +44,20 @@ require_relative 'aws-sdk-sts/customizations'
 #
 # @!group service
 module Aws::STS
+  autoload :Types, 'aws-sdk-sts/types'
+  autoload :ClientApi, 'aws-sdk-sts/client_api'
+  module Plugins
+    autoload :Endpoints, 'aws-sdk-sts/plugins/endpoints.rb'
+  end
+  autoload :Client, 'aws-sdk-sts/client'
+  autoload :Errors, 'aws-sdk-sts/errors'
+  autoload :Resource, 'aws-sdk-sts/resource'
+  autoload :EndpointParameters, 'aws-sdk-sts/endpoint_parameters'
+  autoload :EndpointProvider, 'aws-sdk-sts/endpoint_provider'
+  autoload :Endpoints, 'aws-sdk-sts/endpoints'
 
-  GEM_VERSION = '3.185.1'
+  GEM_VERSION = '3.214.0'
 
 end
+
+require_relative 'aws-sdk-sts/customizations'

data/lib/seahorse/client/async_base.rb

@@ -5,12 +5,12 @@ module Seahorse
     class AsyncBase < Seahorse::Client::Base
 
       # default H2 plugins
+      # @api private
       @plugins = PluginList.new([
         Plugins::Endpoint,
         Plugins::H2,
         Plugins::ResponseTarget
       ])
-
       def initialize(plugins, options)
         super
         @connection = H2::Connection.new(options)

data/lib/seahorse/client/async_response.rb

@@ -12,24 +12,43 @@ module Seahorse
         @sync_queue = options[:sync_queue]
       end
 
+      # @return [RequestContext]
       def context
         @response.context
       end
 
+      # @return [StandardError, nil]
       def error
         @response.error
       end
 
+      # @overload on(status_code, &block)
+      #   @param [Integer] status_code The block will be
+      #     triggered only for responses with the given status code.
+      #
+      # @overload on(status_code_range, &block)
+      #   @param [Range<Integer>] status_code_range The block will be
+      #     triggered only for responses with a status code that falls
+      #     witin the given range.
+      #
+      # @return [self]
       def on(range, &block)
         @response.on(range, &block)
         self
       end
 
+      # @api private
       def on_complete(&block)
         @response.on_complete(&block)
         self
       end
 
+      # @return [Boolean] Returns `true` if the response is complete with
+      #   no error.
+      def successful?
+        @response.error.nil?
+      end
+
       def wait
         if error && context.config.raise_response_errors
           raise error

data/lib/seahorse/client/base.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require 'thread'
-
 module Seahorse
   module Client
     class Base
@@ -9,6 +7,7 @@ module Seahorse
       include HandlerBuilder
 
       # default plugins
+      # @api private
       @plugins = PluginList.new([
         Plugins::Endpoint,
         Plugins::NetHttp,
@@ -59,6 +58,7 @@ module Seahorse
       def build_config(plugins, options)
         config = Configuration.new
         config.add_option(:api)
+        config.add_option(:plugins)
         plugins.each do |plugin|
           plugin.add_options(config) if plugin.respond_to?(:add_options)
         end
@@ -95,9 +95,9 @@ module Seahorse
       class << self
 
         def new(options = {})
-          plugins = build_plugins
           options = options.dup
-          before_initialize(plugins, options)
+          plugins = build_plugins(self.plugins + options.fetch(:plugins, []))
+          plugins = before_initialize(plugins, options)
           client = allocate
           client.send(:initialize, plugins, options)
           client
@@ -208,17 +208,28 @@ module Seahorse
           include(operations_module)
         end
 
-        def build_plugins
+        def build_plugins(plugins)
           plugins.map { |plugin| plugin.is_a?(Class) ? plugin.new : plugin }
         end
 
         def before_initialize(plugins, options)
-          plugins.each do |plugin|
-            plugin.before_initialize(self, options) if plugin.respond_to?(:before_initialize)
+          queue = Queue.new
+          plugins.each { |plugin| queue.push(plugin) }
+          until queue.empty?
+            plugin = queue.pop
+            next unless plugin.respond_to?(:before_initialize)
+
+            plugins_before = options.fetch(:plugins, [])
+            plugin.before_initialize(self, options)
+            plugins_after = build_plugins(options.fetch(:plugins, []) - plugins_before)
+            # Plugins with before_initialize can add other plugins
+            plugins_after.each { |p| queue.push(p); plugins << p }
           end
+          plugins
         end
 
         def inherited(subclass)
+          super
           subclass.instance_variable_set('@plugins', PluginList.new(@plugins))
         end
 

data/lib/seahorse/client/h2/handler.rb

@@ -27,6 +27,12 @@ module Seahorse
       class Handler < Client::Handler
 
         def call(context)
+          span_wrapper(context) { _call(context) }
+        end
+
+        private
+
+        def _call(context)
           stream = nil
           begin
             conn = context.client.connection
@@ -80,8 +86,6 @@ module Seahorse
           )
         end
 
-        private
-
         def _register_callbacks(resp, stream, stream_mutex, close_condition, sync_queue)
           stream.on(:headers) do |headers|
             resp.signal_headers(headers)
@@ -126,6 +130,7 @@ module Seahorse
         # https://http2.github.io/http2-spec/#rfc.section.8.1.2.3
         def _h2_headers(req)
           headers = {}
+          headers[':authority'] = req.endpoint.host
           headers[':method'] = req.http_method.upcase
           headers[':scheme'] = req.endpoint.scheme
           headers[':path'] = req.endpoint.path.empty? ? '/' : req.endpoint.path
@@ -145,8 +150,14 @@ module Seahorse
           end
         end
 
+        def span_wrapper(context, &block)
+          context.tracer.in_span(
+            'Handler.H2',
+            attributes: Aws::Telemetry.http_request_attrs(context),
+            &block
+          )
+        end
       end
-
     end
   end
 end

data/lib/seahorse/client/handler.rb

@@ -15,7 +15,7 @@ module Seahorse
       attr_accessor :handler
 
       # @param [RequestContext] context
-      # @return [Response]
+      # @return [Seahorse::Response]
       def call(context)
         @handler.call(context)
       end

data/lib/seahorse/client/net_http/connection_pool.rb

@@ -34,7 +34,9 @@ module Seahorse
           ssl_ca_bundle: nil,
           ssl_ca_directory: nil,
           ssl_ca_store: nil,
-          ssl_timeout: nil
+          ssl_timeout: nil,
+          ssl_cert: nil,
+          ssl_key: nil
         }
 
         # @api private
@@ -119,11 +121,7 @@ module Seahorse
         #   pool, not counting those currently in use.
         def size
           @pool_mutex.synchronize do
-            size = 0
-            @pool.each_pair do |endpoint,sessions|
-              size += sessions.size
-            end
-            size
+            @pool.values.flatten.size
           end
         end
 
@@ -142,9 +140,7 @@ module Seahorse
         # @return [nil]
         def empty!
           @pool_mutex.synchronize do
-            @pool.each_pair do |endpoint,sessions|
-              sessions.each(&:finish)
-            end
+            @pool.values.flatten.map(&:finish)
             @pool.clear
           end
           nil
@@ -252,7 +248,9 @@ module Seahorse
               :ssl_ca_bundle => options[:ssl_ca_bundle],
               :ssl_ca_directory => options[:ssl_ca_directory],
               :ssl_ca_store => options[:ssl_ca_store],
-              :ssl_timeout => options[:ssl_timeout]
+              :ssl_timeout => options[:ssl_timeout],
+              :ssl_cert => options[:ssl_cert],
+              :ssl_key => options[:ssl_key]
             }
           end
 
@@ -297,6 +295,8 @@ module Seahorse
               http.ca_file = ssl_ca_bundle if ssl_ca_bundle
               http.ca_path = ssl_ca_directory if ssl_ca_directory
               http.cert_store = ssl_ca_store if ssl_ca_store
+              http.cert = ssl_cert if ssl_cert
+              http.key = ssl_key if ssl_key
             else
               http.verify_mode = OpenSSL::SSL::VERIFY_NONE
             end
@@ -312,7 +312,7 @@ module Seahorse
         # @note **Must** be called behind a `@pool_mutex` synchronize block.
         def _clean
           now = Aws::Util.monotonic_milliseconds
-          @pool.each_pair do |endpoint,sessions|
+          @pool.values.each do |sessions|
             sessions.delete_if do |session|
               if session.last_used.nil? or now - session.last_used > http_idle_timeout * 1000
                 session.finish