aws-sdk-core 3.185.2 → 3.186.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +5 -0
  3. data/VERSION +1 -1
  4. data/lib/aws-sdk-core/instance_profile_credentials.rb +52 -30
  5. data/lib/aws-sdk-core/shared_config.rb +1 -0
  6. data/lib/aws-sdk-sso/client.rb +1 -1
  7. data/lib/aws-sdk-sso.rb +1 -1
  8. data/lib/aws-sdk-ssooidc/client.rb +1 -1
  9. data/lib/aws-sdk-ssooidc.rb +1 -1
  10. data/lib/aws-sdk-sts/client.rb +1 -1
  11. data/lib/aws-sdk-sts.rb +1 -1
  12. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0117f7cb50c068598c310d1623a7d28eed6639c20d168ecd506fdf48040aafda
4
- data.tar.gz: 676254d312d5f27b19268fb05ec84e269b76488fe7f71c5244a38468a63bdad8
3
+ metadata.gz: 4b996ac6ca7e1d4d61926d24af262a70a2d2da40b09a8999165721b58c8995a1
4
+ data.tar.gz: a931f4b08ac8b2fd6342abbd4b799b649ee057c9e1bb9dc8cb9581ef30030f30
5
5
  SHA512:
6
- metadata.gz: '08840b98e2ab9cd7e182f0488055ae2f12d3665b08d54fe255c1b2dca17ea4923a4fd5833d8bdb4f71339e1aab015070c4b1ce14c3e7726d5a54a4f158d41e9d'
7
- data.tar.gz: 9e4a2c4e100b241728c930caabf7f1783cdf3d4f99465a0be6f917bcd3de1549ebaf46f023faa271ce892da4e54f2a1d2045b6120de2d4909e8d890c6fbd50a8
6
+ metadata.gz: b9655a1c8c71af67476d77e3248f8fd95e994aee2ac1a1c8960d9f12c4c7823ef624029661683b346653cd671c048ee00f01938fcfcade24b2a60ea344c886ec
7
+ data.tar.gz: 97cec2c4e76b50f1224f92111d47240ab8f9d318489ec30607a206b4c83623033972d4ed72a466d90eef2957eb9ae1cf2c416cc276f9a8d4bb2c057fe7f1e968
data/CHANGELOG.md CHANGED
@@ -1,6 +1,11 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 3.186.0 (2023-11-02)
5
+ ------------------
6
+
7
+ * Feature - Support disabling IMDSv1 in `InstanceProfileCredentials` using `ENV['AWS_EC2_METADATA_V1_DISABLED']`, `ec2_metadata_v1_disabled` shared config, or the `disable_imds_v1` credentials option.
8
+
4
9
  3.185.2 (2023-10-31)
5
10
  ------------------
6
11
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.185.2
1
+ 3.186.0
data/lib/aws-sdk-core/instance_profile_credentials.rb CHANGED
@@ -53,6 +53,8 @@ module Aws
53
53
  # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
54
54
  # the instance metadata service. This is either 'IPv4' ('169.254.169.254')
55
55
  # or 'IPv6' ('[fd00:ec2::254]').
56
+ # @option options [Boolean] :disable_imds_v1 (false) Disable the use of the
57
+ # legacy EC2 Metadata Service v1.
56
58
  # @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
57
59
  # :endpoint instead. The IP address for the endpoint.
58
60
  # @option options [Integer] :port (80)
@@ -77,6 +79,9 @@ module Aws
77
79
  endpoint_mode = resolve_endpoint_mode(options)
78
80
  @endpoint = resolve_endpoint(options, endpoint_mode)
79
81
  @port = options[:port] || 80
82
+ @disable_imds_v1 = resolve_disable_v1(options)
83
+ # Flag for if v2 flow fails, skip future attempts
84
+ @imds_v1_fallback = false
80
85
  @http_open_timeout = options[:http_open_timeout] || 1
81
86
  @http_read_timeout = options[:http_read_timeout] || 1
82
87
  @http_debug_output = options[:http_debug_output]
@@ -123,6 +128,16 @@ module Aws
123
128
  end
124
129
  end
125
130
 
131
+ def resolve_disable_v1(options)
132
+ value = options[:disable_imds_v1]
133
+ value ||= ENV['AWS_EC2_METADATA_V1_DISABLED']
134
+ value ||= Aws.shared_config.ec2_metadata_v1_disabled(
135
+ profile: options[:profile]
136
+ )
137
+ value = value.to_s.downcase if value
138
+ Aws::Util.str_2_bool(value) || false
139
+ end
140
+
126
141
  def backoff(backoff)
127
142
  case backoff
128
143
  when Proc then backoff
@@ -141,7 +156,7 @@ module Aws
141
156
  # service is responding but is returning invalid JSON documents
142
157
  # in response to the GET profile credentials call.
143
158
  begin
144
- retry_errors([Aws::Json::ParseError, StandardError], max_retries: 3) do
159
+ retry_errors([Aws::Json::ParseError], max_retries: 3) do
145
160
  c = Aws::Json.load(get_credentials.to_s)
146
161
  if empty_credentials?(@credentials)
147
162
  @credentials = Credentials.new(
@@ -173,7 +188,6 @@ module Aws
173
188
  end
174
189
  end
175
190
  end
176
-
177
191
  end
178
192
  rescue Aws::Json::ParseError
179
193
  raise Aws::Errors::MetadataParserError
@@ -191,34 +205,14 @@ module Aws
191
205
  open_connection do |conn|
192
206
  # attempt to fetch token to start secure flow first
193
207
  # and rescue to failover
194
- begin
195
- retry_errors(NETWORK_ERRORS, max_retries: @retries) do
196
- unless token_set?
197
- created_time = Time.now
198
- token_value, ttl = http_put(
199
- conn, METADATA_TOKEN_PATH, @token_ttl
200
- )
201
- @token = Token.new(token_value, ttl, created_time) if token_value && ttl
202
- end
203
- end
204
- rescue *NETWORK_ERRORS
205
- # token attempt failed, reset token
206
- # fallback to non-token mode
207
- @token = nil
208
- end
209
-
208
+ fetch_token(conn) unless @imds_v1_fallback
210
209
  token = @token.value if token_set?
211
210
 
212
- begin
213
- metadata = http_get(conn, METADATA_PATH_BASE, token)
214
- profile_name = metadata.lines.first.strip
215
- http_get(conn, METADATA_PATH_BASE + profile_name, token)
216
- rescue TokenExpiredError
217
- # Token has expired, reset it
218
- # The next retry should fetch it
219
- @token = nil
220
- raise Non200Response
221
- end
211
+ # disable insecure flow if we couldn't get token
212
+ # and imds v1 is disabled
213
+ raise TokenRetrivalError if token.nil? && @disable_imds_v1
214
+
215
+ _get_credentials(conn, token)
222
216
  end
223
217
  end
224
218
  rescue
@@ -227,6 +221,36 @@ module Aws
227
221
  end
228
222
  end
229
223
 
224
+ def fetch_token(conn)
225
+ retry_errors(NETWORK_ERRORS, max_retries: @retries) do
226
+ unless token_set?
227
+ created_time = Time.now
228
+ token_value, ttl = http_put(
229
+ conn, METADATA_TOKEN_PATH, @token_ttl
230
+ )
231
+ @token = Token.new(token_value, ttl, created_time) if token_value && ttl
232
+ end
233
+ end
234
+ rescue *NETWORK_ERRORS
235
+ # token attempt failed, reset token
236
+ # fallback to non-token mode
237
+ @token = nil
238
+ @imds_v1_fallback = true
239
+ end
240
+
241
+ # token is optional - if nil, uses v1 (insecure) flow
242
+ def _get_credentials(conn, token)
243
+ metadata = http_get(conn, METADATA_PATH_BASE, token)
244
+ profile_name = metadata.lines.first.strip
245
+ http_get(conn, METADATA_PATH_BASE + profile_name, token)
246
+ rescue TokenExpiredError
247
+ # Token has expired, reset it
248
+ # The next retry should fetch it
249
+ @token = nil
250
+ @imds_v1_fallback = false
251
+ raise Non200Response
252
+ end
253
+
230
254
  def token_set?
231
255
  @token && !@token.expired?
232
256
  end
@@ -276,8 +300,6 @@ module Aws
276
300
  ]
277
301
  when 400
278
302
  raise TokenRetrivalError
279
- when 401
280
- raise TokenExpiredError
281
303
  else
282
304
  raise Non200Response
283
305
  end
data/lib/aws-sdk-core/shared_config.rb CHANGED
@@ -205,6 +205,7 @@ module Aws
205
205
  :use_fips_endpoint,
206
206
  :ec2_metadata_service_endpoint,
207
207
  :ec2_metadata_service_endpoint_mode,
208
+ :ec2_metadata_v1_disabled,
208
209
  :max_attempts,
209
210
  :retry_mode,
210
211
  :adaptive_retry_wait_to_fill,
data/lib/aws-sdk-sso/client.rb CHANGED
@@ -605,7 +605,7 @@ module Aws::SSO
605
605
  params: params,
606
606
  config: config)
607
607
  context[:gem_name] = 'aws-sdk-core'
608
- context[:gem_version] = '3.185.2'
608
+ context[:gem_version] = '3.186.0'
609
609
  Seahorse::Client::Request.new(handlers, context)
610
610
  end
611
611
 
data/lib/aws-sdk-sso.rb CHANGED
@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sso/customizations'
54
54
  # @!group service
55
55
  module Aws::SSO
56
56
 
57
- GEM_VERSION = '3.185.2'
57
+ GEM_VERSION = '3.186.0'
58
58
 
59
59
  end
data/lib/aws-sdk-ssooidc/client.rb CHANGED
@@ -601,7 +601,7 @@ module Aws::SSOOIDC
601
601
  params: params,
602
602
  config: config)
603
603
  context[:gem_name] = 'aws-sdk-core'
604
- context[:gem_version] = '3.185.2'
604
+ context[:gem_version] = '3.186.0'
605
605
  Seahorse::Client::Request.new(handlers, context)
606
606
  end
607
607
 
data/lib/aws-sdk-ssooidc.rb CHANGED
@@ -54,6 +54,6 @@ require_relative 'aws-sdk-ssooidc/customizations'
54
54
  # @!group service
55
55
  module Aws::SSOOIDC
56
56
 
57
- GEM_VERSION = '3.185.2'
57
+ GEM_VERSION = '3.186.0'
58
58
 
59
59
  end
data/lib/aws-sdk-sts/client.rb CHANGED
@@ -2344,7 +2344,7 @@ module Aws::STS
2344
2344
  params: params,
2345
2345
  config: config)
2346
2346
  context[:gem_name] = 'aws-sdk-core'
2347
- context[:gem_version] = '3.185.2'
2347
+ context[:gem_version] = '3.186.0'
2348
2348
  Seahorse::Client::Request.new(handlers, context)
2349
2349
  end
2350
2350
 
data/lib/aws-sdk-sts.rb CHANGED
@@ -54,6 +54,6 @@ require_relative 'aws-sdk-sts/customizations'
54
54
  # @!group service
55
55
  module Aws::STS
56
56
 
57
- GEM_VERSION = '3.185.2'
57
+ GEM_VERSION = '3.186.0'
58
58
 
59
59
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-core
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.185.2
4
+ version: 3.186.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-10-31 00:00:00.000000000 Z
11
+ date: 2023-11-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: jmespath