aws-sdk-core 3.185.2 → 3.186.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/instance_profile_credentials.rb +52 -30
- data/lib/aws-sdk-core/shared_config.rb +1 -0
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-ssooidc/client.rb +1 -1
- data/lib/aws-sdk-ssooidc.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 4b996ac6ca7e1d4d61926d24af262a70a2d2da40b09a8999165721b58c8995a1
|
4
|
+
data.tar.gz: a931f4b08ac8b2fd6342abbd4b799b649ee057c9e1bb9dc8cb9581ef30030f30
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b9655a1c8c71af67476d77e3248f8fd95e994aee2ac1a1c8960d9f12c4c7823ef624029661683b346653cd671c048ee00f01938fcfcade24b2a60ea344c886ec
|
7
|
+
data.tar.gz: 97cec2c4e76b50f1224f92111d47240ab8f9d318489ec30607a206b4c83623033972d4ed72a466d90eef2957eb9ae1cf2c416cc276f9a8d4bb2c057fe7f1e968
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,11 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
3.186.0 (2023-11-02)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Feature - Support disabling IMDSv1 in `InstanceProfileCredentials` using `ENV['AWS_EC2_METADATA_V1_DISABLED']`, `ec2_metadata_v1_disabled` shared config, or the `disable_imds_v1` credentials option.
|
8
|
+
|
4
9
|
3.185.2 (2023-10-31)
|
5
10
|
------------------
|
6
11
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.186.0
|
@@ -53,6 +53,8 @@ module Aws
|
|
53
53
|
# @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
|
54
54
|
# the instance metadata service. This is either 'IPv4' ('169.254.169.254')
|
55
55
|
# or 'IPv6' ('[fd00:ec2::254]').
|
56
|
+
# @option options [Boolean] :disable_imds_v1 (false) Disable the use of the
|
57
|
+
# legacy EC2 Metadata Service v1.
|
56
58
|
# @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
|
57
59
|
# :endpoint instead. The IP address for the endpoint.
|
58
60
|
# @option options [Integer] :port (80)
|
@@ -77,6 +79,9 @@ module Aws
|
|
77
79
|
endpoint_mode = resolve_endpoint_mode(options)
|
78
80
|
@endpoint = resolve_endpoint(options, endpoint_mode)
|
79
81
|
@port = options[:port] || 80
|
82
|
+
@disable_imds_v1 = resolve_disable_v1(options)
|
83
|
+
# Flag for if v2 flow fails, skip future attempts
|
84
|
+
@imds_v1_fallback = false
|
80
85
|
@http_open_timeout = options[:http_open_timeout] || 1
|
81
86
|
@http_read_timeout = options[:http_read_timeout] || 1
|
82
87
|
@http_debug_output = options[:http_debug_output]
|
@@ -123,6 +128,16 @@ module Aws
|
|
123
128
|
end
|
124
129
|
end
|
125
130
|
|
131
|
+
def resolve_disable_v1(options)
|
132
|
+
value = options[:disable_imds_v1]
|
133
|
+
value ||= ENV['AWS_EC2_METADATA_V1_DISABLED']
|
134
|
+
value ||= Aws.shared_config.ec2_metadata_v1_disabled(
|
135
|
+
profile: options[:profile]
|
136
|
+
)
|
137
|
+
value = value.to_s.downcase if value
|
138
|
+
Aws::Util.str_2_bool(value) || false
|
139
|
+
end
|
140
|
+
|
126
141
|
def backoff(backoff)
|
127
142
|
case backoff
|
128
143
|
when Proc then backoff
|
@@ -141,7 +156,7 @@ module Aws
|
|
141
156
|
# service is responding but is returning invalid JSON documents
|
142
157
|
# in response to the GET profile credentials call.
|
143
158
|
begin
|
144
|
-
retry_errors([Aws::Json::ParseError
|
159
|
+
retry_errors([Aws::Json::ParseError], max_retries: 3) do
|
145
160
|
c = Aws::Json.load(get_credentials.to_s)
|
146
161
|
if empty_credentials?(@credentials)
|
147
162
|
@credentials = Credentials.new(
|
@@ -173,7 +188,6 @@ module Aws
|
|
173
188
|
end
|
174
189
|
end
|
175
190
|
end
|
176
|
-
|
177
191
|
end
|
178
192
|
rescue Aws::Json::ParseError
|
179
193
|
raise Aws::Errors::MetadataParserError
|
@@ -191,34 +205,14 @@ module Aws
|
|
191
205
|
open_connection do |conn|
|
192
206
|
# attempt to fetch token to start secure flow first
|
193
207
|
# and rescue to failover
|
194
|
-
|
195
|
-
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
196
|
-
unless token_set?
|
197
|
-
created_time = Time.now
|
198
|
-
token_value, ttl = http_put(
|
199
|
-
conn, METADATA_TOKEN_PATH, @token_ttl
|
200
|
-
)
|
201
|
-
@token = Token.new(token_value, ttl, created_time) if token_value && ttl
|
202
|
-
end
|
203
|
-
end
|
204
|
-
rescue *NETWORK_ERRORS
|
205
|
-
# token attempt failed, reset token
|
206
|
-
# fallback to non-token mode
|
207
|
-
@token = nil
|
208
|
-
end
|
209
|
-
|
208
|
+
fetch_token(conn) unless @imds_v1_fallback
|
210
209
|
token = @token.value if token_set?
|
211
210
|
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
216
|
-
|
217
|
-
# Token has expired, reset it
|
218
|
-
# The next retry should fetch it
|
219
|
-
@token = nil
|
220
|
-
raise Non200Response
|
221
|
-
end
|
211
|
+
# disable insecure flow if we couldn't get token
|
212
|
+
# and imds v1 is disabled
|
213
|
+
raise TokenRetrivalError if token.nil? && @disable_imds_v1
|
214
|
+
|
215
|
+
_get_credentials(conn, token)
|
222
216
|
end
|
223
217
|
end
|
224
218
|
rescue
|
@@ -227,6 +221,36 @@ module Aws
|
|
227
221
|
end
|
228
222
|
end
|
229
223
|
|
224
|
+
def fetch_token(conn)
|
225
|
+
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
226
|
+
unless token_set?
|
227
|
+
created_time = Time.now
|
228
|
+
token_value, ttl = http_put(
|
229
|
+
conn, METADATA_TOKEN_PATH, @token_ttl
|
230
|
+
)
|
231
|
+
@token = Token.new(token_value, ttl, created_time) if token_value && ttl
|
232
|
+
end
|
233
|
+
end
|
234
|
+
rescue *NETWORK_ERRORS
|
235
|
+
# token attempt failed, reset token
|
236
|
+
# fallback to non-token mode
|
237
|
+
@token = nil
|
238
|
+
@imds_v1_fallback = true
|
239
|
+
end
|
240
|
+
|
241
|
+
# token is optional - if nil, uses v1 (insecure) flow
|
242
|
+
def _get_credentials(conn, token)
|
243
|
+
metadata = http_get(conn, METADATA_PATH_BASE, token)
|
244
|
+
profile_name = metadata.lines.first.strip
|
245
|
+
http_get(conn, METADATA_PATH_BASE + profile_name, token)
|
246
|
+
rescue TokenExpiredError
|
247
|
+
# Token has expired, reset it
|
248
|
+
# The next retry should fetch it
|
249
|
+
@token = nil
|
250
|
+
@imds_v1_fallback = false
|
251
|
+
raise Non200Response
|
252
|
+
end
|
253
|
+
|
230
254
|
def token_set?
|
231
255
|
@token && !@token.expired?
|
232
256
|
end
|
@@ -276,8 +300,6 @@ module Aws
|
|
276
300
|
]
|
277
301
|
when 400
|
278
302
|
raise TokenRetrivalError
|
279
|
-
when 401
|
280
|
-
raise TokenExpiredError
|
281
303
|
else
|
282
304
|
raise Non200Response
|
283
305
|
end
|
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-ssooidc.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -2344,7 +2344,7 @@ module Aws::STS
|
|
2344
2344
|
params: params,
|
2345
2345
|
config: config)
|
2346
2346
|
context[:gem_name] = 'aws-sdk-core'
|
2347
|
-
context[:gem_version] = '3.
|
2347
|
+
context[:gem_version] = '3.186.0'
|
2348
2348
|
Seahorse::Client::Request.new(handlers, context)
|
2349
2349
|
end
|
2350
2350
|
|
data/lib/aws-sdk-sts.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.186.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-11-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|