aws-sdk-core 3.190.3 → 3.240.0

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -11,7 +11,7 @@ module Aws
     def resolve
       providers.each do |method_name, options|
         provider = send(method_name, options.merge(config: @config))
-        return provider if provider && provider.set?
+        return provider if provider&.set?
       end
       nil
     end
@@ -25,12 +25,14 @@ module Aws
         [:static_profile_sso_credentials, {}],
         [:static_profile_assume_role_credentials, {}],
         [:static_profile_credentials, {}],
+        [:static_profile_login_credentials, {}],
         [:static_profile_process_credentials, {}],
         [:env_credentials, {}],
         [:assume_role_web_identity_credentials, {}],
         [:sso_credentials, {}],
         [:assume_role_credentials, {}],
         [:shared_credentials, {}],
+        [:login_credentials, {}],
         [:process_credentials, {}],
         [:instance_profile_credentials, {
           retries: @config ? @config.instance_profile_credentials_retries : 0,
@@ -42,50 +44,92 @@ module Aws
 
     def static_credentials(options)
       if options[:config]
-        Credentials.new(
+        creds = Credentials.new(
           options[:config].access_key_id,
           options[:config].secret_access_key,
-          options[:config].session_token
+          options[:config].session_token,
+          account_id: options[:config].account_id
         )
+        creds.metrics = ['CREDENTIALS_PROFILE']
+        creds
       end
     end
 
     def static_profile_assume_role_web_identity_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        Aws.shared_config.assume_role_web_identity_credentials_from_config(
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.assume_role_web_identity_credentials_from_config(
           profile: options[:config].profile,
           region: options[:config].region
         )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_sso_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        Aws.shared_config.sso_credentials_from_config(
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.sso_credentials_from_config(
           profile: options[:config].profile
         )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_assume_role_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        assume_role_with_profile(options, options[:config].profile)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = assume_role_with_profile(options, options[:config].profile)
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_credentials(options)
-      if options[:config] && options[:config].profile
-        SharedCredentials.new(profile_name: options[:config].profile)
-      end
+      return unless options[:config]&.profile
+
+      creds = SharedCredentials.new(profile_name: options[:config].profile)
+      creds.metrics << 'CREDENTIALS_PROFILE'
+      creds
     rescue Errors::NoSuchProfileError
       nil
     end
 
-    def static_profile_process_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
-        ProcessCredentials.new(process_provider) if process_provider
+    def static_profile_login_credentials(options)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.login_credentials_from_config(
+          profile: options[:config].profile,
+          region: options[:config].region
+        )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
+    end
+
+    def static_profile_process_credentials(options)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
+      return unless process_provider
+
+      creds = ProcessCredentials.new([process_provider])
+      creds.metrics.concat(%w[CREDENTIALS_PROFILE_PROCESS CREDENTIALS_CODE])
+      creds
     rescue Errors::NoSuchProfileError
       nil
     end
@@ -94,7 +138,15 @@ module Aws
       key =    %w[AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY]
       secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
       token =  %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
-      Credentials.new(envar(key), envar(secret), envar(token))
+      account_id = %w[AWS_ACCOUNT_ID]
+      creds = Credentials.new(
+        envar(key),
+        envar(secret),
+        envar(token),
+        account_id: envar(account_id)
+      )
+      creds.metrics = ['CREDENTIALS_ENV_VARS']
+      creds
     end
 
     def envar(keys)
@@ -105,21 +157,37 @@ module Aws
     end
 
     def determine_profile_name(options)
-      (options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+      (options[:config]&.profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
     end
 
     def shared_credentials(options)
       profile_name = determine_profile_name(options)
-      SharedCredentials.new(profile_name: profile_name)
+      creds = SharedCredentials.new(profile_name: profile_name)
+      creds.metrics = ['CREDENTIALS_PROFILE']
+      creds
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def login_credentials(options)
+      return unless Aws.shared_config.config_enabled?
+
+      profile_name = determine_profile_name(options)
+      region = options[:config].region if options[:config]
+      Aws.shared_config.login_credentials_from_config(profile: profile_name, region: region)
     rescue Errors::NoSuchProfileError
       nil
     end
 
     def process_credentials(options)
       profile_name = determine_profile_name(options)
-      if Aws.shared_config.config_enabled? &&
-         (process_provider = Aws.shared_config.credential_process(profile: profile_name))
-        ProcessCredentials.new(process_provider)
+      if Aws.shared_config.config_enabled?
+        process_provider = Aws.shared_config.credential_process(profile: profile_name)
+        if process_provider
+          creds = ProcessCredentials.new([process_provider])
+          creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
+          creds
+        end
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -149,7 +217,11 @@ module Aws
           role_session_name: ENV['AWS_ROLE_SESSION_NAME']
         }
         cfg[:region] = region if region
-        AssumeRoleWebIdentityCredentials.new(cfg)
+        Aws::Plugins::UserAgent.metric('CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN') do
+          creds = AssumeRoleWebIdentityCredentials.new(cfg)
+          creds.metrics << 'CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN'
+          creds
+        end
       elsif Aws.shared_config.config_enabled?
         profile = options[:config].profile if options[:config]
         Aws.shared_config.assume_role_web_identity_credentials_from_config(
@@ -164,7 +236,7 @@ module Aws
       if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
          ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
         ECSCredentials.new(options)
-      else
+      elsif !(ENV.fetch('AWS_EC2_METADATA_DISABLED', 'false').downcase == 'true')
         InstanceProfileCredentials.new(options.merge(profile: profile_name))
       end
     end
@@ -174,10 +246,14 @@ module Aws
         profile: profile_name,
         chain_config: @config
       }
-      if options[:config] && options[:config].region
+      if options[:config]&.region
         assume_opts[:region] = options[:config].region
       end
       Aws.shared_config.assume_role_credentials_from_config(assume_opts)
     end
+
+    def with_metrics(metrics, &block)
+      Aws::Plugins::UserAgent.metric(*metrics, &block)
+    end
   end
 end

data/lib/aws-sdk-core/credentials.rb

@@ -6,21 +6,34 @@ module Aws
     # @param [String] access_key_id
     # @param [String] secret_access_key
     # @param [String] session_token (nil)
-    def initialize(access_key_id, secret_access_key, session_token = nil)
+    # @param [Hash] kwargs
+    # @option kwargs [String] :credential_scope (nil)
+    def initialize(access_key_id, secret_access_key, session_token = nil,
+                   **kwargs)
       @access_key_id = access_key_id
       @secret_access_key = secret_access_key
       @session_token = session_token
+      @account_id = kwargs[:account_id]
+      @metrics = ['CREDENTIALS_CODE']
     end
 
-    # @return [String, nil]
+    # @return [String]
     attr_reader :access_key_id
 
-    # @return [String, nil]
+    # @return [String]
     attr_reader :secret_access_key
 
     # @return [String, nil]
     attr_reader :session_token
 
+    # @return [String, nil]
+    attr_reader :account_id
+
+    # @api private
+    # Returns the credentials source. Used for tracking credentials
+    # related UserAgent metrics.
+    attr_accessor :metrics
+
     # @return [Credentials]
     def credentials
       self
@@ -30,9 +43,9 @@ module Aws
     #   access key are both set.
     def set?
       !access_key_id.nil? &&
-      !access_key_id.empty? &&
-      !secret_access_key.nil? &&
-      !secret_access_key.empty?
+        !access_key_id.empty? &&
+        !secret_access_key.nil? &&
+        !secret_access_key.empty?
     end
 
     # Removing the secret access key from the default inspect string.

data/lib/aws-sdk-core/ec2_metadata.rb

@@ -183,7 +183,7 @@ module Aws
 
     def open_connection
       uri = URI.parse(@endpoint)
-      http = Net::HTTP.new(uri.hostname || @endpoint, @port || uri.port)
+      http = Net::HTTP.new(uri.hostname || @endpoint, uri.port || @port)
       http.open_timeout = @http_open_timeout
       http.read_timeout = @http_read_timeout
       http.set_debug_output(@http_debug_output) if @http_debug_output

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -42,26 +42,26 @@ module Aws
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
     # @option options [String] :ip_address ('169.254.170.2') This value is
-    #   ignored if `endpoint` is set and `credential_path` is not set.
-    # @option options [Integer] :port (80) This value is ignored if `endpoint`
-    #   is set and `credential_path` is not set.
+    #   ignored if `:endpoint` is set and `:credential_path` is not set.
+    # @option options [Integer] :port (80) This value is ignored if `:endpoint`
+    #   is set and `:credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
-    #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
+    #   `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` environment variable.
     # @option options [String] :endpoint The container credential endpoint.
-    #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
-    #   environment variable. This value is ignored if `credential_path` or
-    #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
+    #   By default, this is the value of the `AWS_CONTAINER_CREDENTIALS_FULL_URI`
+    #   environment variable. This value is ignored if `:credential_path` or
+    #   `ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']` is set.
     # @option options [Float] :http_open_timeout (5)
     # @option options [Float] :http_read_timeout (5)
-    # @option options [Numeric, Proc] :delay By default, failures are retried
+    # @option options [IO] :http_debug_output (nil) HTTP wire
+    #   traces are sent to this object.  You can specify something
+    #   like `$stdout`.
+    # @option options [Numeric, Proc] :backoff By default, failures are retried
     #   with exponential back-off, i.e. `sleep(1.2 ** num_failures)`. You can
     #   pass a number of seconds to sleep between failed attempts, or
     #   a Proc that accepts the number of failures.
-    # @option options [IO] :http_debug_output (nil) HTTP wire
-    #   traces are sent to this object.  You can specify something
-    #   like $stdout.
-    # @option options [Callable] before_refresh Proc called before
-    #   credentials are refreshed. `before_refresh` is called
+    # @option options [Proc] :before_refresh A Proc called before
+    #   credentials are refreshed. `:before_refresh` is called
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
@@ -77,6 +77,7 @@ module Aws
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
       @async_refresh = false
+      @metrics = ['CREDENTIALS_HTTP']
       super
     end
 
@@ -207,7 +208,8 @@ module Aws
       end
     rescue TokenFileReadError, InvalidTokenError
       raise
-    rescue StandardError
+    rescue StandardError => e
+      warn("Error retrieving ECS Credentials: #{e.message}")
       '{}'
     end
 

data/lib/aws-sdk-core/endpoints/endpoint.rb

@@ -3,15 +3,17 @@
 module Aws
   module Endpoints
     class Endpoint
-      def initialize(url:, properties: {}, headers: {})
+      def initialize(url:, properties: {}, headers: {}, metadata: {})
         @url = url
         @properties = properties
         @headers = headers
+        @metadata = metadata
       end
 
       attr_reader :url
       attr_reader :properties
       attr_reader :headers
+      attr_reader :metadata
     end
   end
 end

data/lib/aws-sdk-core/endpoints/matchers.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-require 'cgi'
+require "cgi/escape"
+require "cgi/util" if RUBY_VERSION < "3.5"
 
 module Aws
   module Endpoints
@@ -28,7 +29,11 @@ module Aws
 
         val = if (index = parts.first[BRACKET_REGEX, 1])
                 # remove brackets and index from part before indexing
-                value[parts.first.gsub(BRACKET_REGEX, '')][index.to_i]
+                if (base = parts.first.gsub(BRACKET_REGEX, '')) && !base.empty?
+                  value[base][index.to_i]
+                else
+                  value[index.to_i]
+                end
               else
                 value[parts.first]
               end
@@ -90,14 +95,7 @@ module Aws
 
       # aws.partition(value: string) Option<Partition>
       def self.aws_partition(value)
-        partition =
-          Aws::Partitions.find { |p| p.region?(value) } ||
-          Aws::Partitions.find { |p| value.match(p.region_regex) } ||
-          Aws::Partitions.find { |p| p.name == 'aws' }
-
-        return nil unless partition
-
-        partition.metadata
+        Aws::Partitions::Metadata.partition(value)
       end
 
       # aws.parseArn(value: string) Option<ARN>

data/lib/aws-sdk-core/endpoints.rb

@@ -14,15 +14,33 @@ require_relative 'endpoints/templater'
 require_relative 'endpoints/tree_rule'
 require_relative 'endpoints/url'
 
+require 'aws-sigv4'
+
 module Aws
   # @api private
   module Endpoints
+    # Maps config auth scheme preferences to endpoint auth scheme names.
+    ENDPOINT_AUTH_PREFERENCE_MAP = {
+      'sigv4' => %w[sigv4 sigv4-s3express],
+      'sigv4a' => ['sigv4a'],
+      'httpBearerAuth' => ['bearer'],
+      'noAuth' => ['none']
+    }.freeze
+    SUPPORTED_ENDPOINT_AUTH = ENDPOINT_AUTH_PREFERENCE_MAP.values.flatten.freeze
+
+    # Maps configured auth scheme preferences to modeled auth traits.
+    MODELED_AUTH_PREFERENCE_MAP = {
+      'sigv4' => 'aws.auth#sigv4',
+      'sigv4a' => 'aws.auth#sigv4a',
+      'httpBearerAuth' => 'smithy.api#httpBearerAuth',
+      'noAuth' => 'smithy.api#noAuth'
+    }.freeze
+    SUPPORTED_MODELED_AUTH = MODELED_AUTH_PREFERENCE_MAP.values.freeze
+
     class << self
       def resolve_auth_scheme(context, endpoint)
         if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
-          auth_scheme = auth_schemes.find do |scheme|
-            Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES.include?(scheme['name'])
-          end
+          auth_scheme = endpoint_auth_scheme_preference(auth_schemes, context.config.auth_scheme_preference)
           raise 'No supported auth scheme for this endpoint.' unless auth_scheme
 
           merge_signing_defaults(auth_scheme, context.config)
@@ -33,8 +51,86 @@ module Aws
 
       private
 
+      def endpoint_auth_scheme_preference(auth_schemes, preferred_auth)
+        ordered_auth = preferred_auth.each_with_object([]) do |pref, list|
+          next unless ENDPOINT_AUTH_PREFERENCE_MAP.key?(pref)
+
+          ENDPOINT_AUTH_PREFERENCE_MAP[pref].each { |name| list << { 'name' => name } }
+        end
+        ordered_auth += auth_schemes
+        ordered_auth.find { |auth| SUPPORTED_ENDPOINT_AUTH.include?(auth['name']) }
+      end
+
+      def merge_signing_defaults(auth_scheme, config)
+        if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
+          auth_scheme['signingName'] ||= sigv4_name(config)
+
+          # back fill disableNormalizePath for S3 until it gets correctly set in the rules
+          if auth_scheme['signingName'] == 's3' &&
+            !auth_scheme.include?('disableNormalizePath') &&
+            auth_scheme.include?('disableDoubleEncoding')
+            auth_scheme['disableNormalizePath'] = auth_scheme['disableDoubleEncoding']
+          end
+          if auth_scheme['name'] == 'sigv4a'
+            # config option supersedes endpoint properties
+            auth_scheme['signingRegionSet'] =
+              config.sigv4a_signing_region_set || auth_scheme['signingRegionSet'] || [config.region]
+          else
+            auth_scheme['signingRegion'] ||= config.region
+          end
+        end
+        auth_scheme
+      end
+
+      def sigv4_name(config)
+        config.api.metadata['signingName'] || config.api.metadata['endpointPrefix']
+      end
+
       def default_auth_scheme(context)
-        case default_api_authtype(context)
+        if (modeled_auth = default_api_auth(context))
+          auth = modeled_auth_scheme_preference(modeled_auth, context.config.auth_scheme_preference)
+          case auth
+          when 'aws.auth#sigv4', 'aws.auth#sigv4a'
+            auth_scheme = { 'name' => auth.split('#').last }
+            if s3_or_s3v4_signature_version?(context)
+              auth_scheme = auth_scheme.merge(
+                'disableDoubleEncoding' => true,
+                'disableNormalizePath' => true
+              )
+            end
+            merge_signing_defaults(auth_scheme, context.config)
+          when 'smithy.api#httpBearerAuth'
+            { 'name' => 'bearer' }
+          when 'smithy.api#noAuth'
+            { 'name' => 'none' }
+          else
+            raise 'No supported auth trait for this endpoint.'
+          end
+        else
+          legacy_default_auth_scheme(context)
+        end
+      end
+
+      def modeled_auth_scheme_preference(modeled_auth, preferred_auth)
+        ordered_auth = preferred_auth.map { |pref| MODELED_AUTH_PREFERENCE_MAP[pref] }.compact
+        ordered_auth += modeled_auth
+        ordered_auth.find { |auth| SUPPORTED_MODELED_AUTH.include?(auth) }
+      end
+
+      def default_api_auth(context)
+        context.config.api.operation(context.operation_name)['auth'] ||
+          context.config.api.metadata['auth']
+      end
+
+      def s3_or_s3v4_signature_version?(context)
+        %w[s3 s3v4].include?(context.config.api.metadata['signatureVersion'])
+      end
+
+      # Legacy auth resolution - looks for deprecated signatureVersion
+      # and authType traits.
+
+      def legacy_default_auth_scheme(context)
+        case legacy_default_api_authtype(context)
         when 'v4', 'v4-unsigned-body'
           auth_scheme = { 'name' => 'sigv4' }
           merge_signing_defaults(auth_scheme, context.config)
@@ -52,27 +148,11 @@ module Aws
         end
       end
 
-      def merge_signing_defaults(auth_scheme, config)
-        if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
-          auth_scheme['signingName'] ||= sigv4_name(config)
-          if auth_scheme['name'] == 'sigv4a'
-            auth_scheme['signingRegionSet'] ||= ['*']
-          else
-            auth_scheme['signingRegion'] ||= config.region
-          end
-        end
-        auth_scheme
-      end
-
-      def default_api_authtype(context)
+      def legacy_default_api_authtype(context)
         context.config.api.operation(context.operation_name)['authtype'] ||
           context.config.api.metadata['signatureVersion']
       end
 
-      def sigv4_name(config)
-        config.api.metadata['signingName'] ||
-          config.api.metadata['endpointPrefix']
-      end
     end
   end
 end

data/lib/aws-sdk-core/error_handler.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  class ErrorHandler < Seahorse::Client::Handler
+
+    private
+
+    def error(context)
+      body = context.http_response.body_contents
+      # This is not correct per protocol tests. Some headers will determine the error code.
+      # If the body is empty, there is still potentially an error code from the header, but
+      # we are making a generic http status error instead. In a new major version, we should
+      # always try to extract header, and during extraction, check headers and body.
+      if body.empty?
+        code, message, data = http_status_error(context)
+      else
+        code, message, data = extract_error(body, context)
+      end
+      build_error(context, code, message, data)
+    end
+
+    def build_error(context, code, message, data)
+      errors_module = context.client.class.errors_module
+      errors_module.error_class(code).new(context, message, data)
+    end
+
+    def http_status_error(context)
+      [http_status_error_code(context), '', EmptyStructure.new]
+    end
+
+    def http_status_error_code(context)
+      status_code = context.http_response.status_code
+      {
+        302 => 'MovedTemporarily',
+        304 => 'NotModified',
+        400 => 'BadRequest',
+        403 => 'Forbidden',
+        404 => 'NotFound',
+        412 => 'PreconditionFailed',
+        413 => 'RequestEntityTooLarge',
+      }[status_code] || "Http#{status_code}Error"
+    end
+
+  end
+end

data/lib/aws-sdk-core/errors.rb

@@ -12,7 +12,7 @@ module Aws
     class ServiceError < RuntimeError
 
       # @param [Seahorse::Client::RequestContext] context
-      # @param [String] message
+      # @param [String, nil] message
       # @param [Aws::Structure] data
       def initialize(context, message, data = Aws::EmptyStructure.new)
         @code = self.class.code
@@ -34,7 +34,7 @@ module Aws
 
       class << self
 
-        # @return [String]
+        # @return [String, nil]
         attr_accessor :code
 
       end
@@ -68,7 +68,7 @@ module Aws
       end
     end
 
-    # Rasied when endpoint discovery failed for operations
+    # Raised when endpoint discovery failed for operations
     # that requires endpoints from endpoint discovery
     class EndpointDiscoveryError < RuntimeError
       def initialize(*args)
@@ -78,7 +78,7 @@ module Aws
       end
     end
 
-    # raised when hostLabel member is not provided
+    # Raised when hostLabel member is not provided
     # at operation input when endpoint trait is available
     # with 'hostPrefix' requirement
     class MissingEndpointHostLabelValue < RuntimeError
@@ -213,6 +213,9 @@ module Aws
     # Raised when SSO Token is invalid
     class InvalidSSOToken < RuntimeError; end
 
+    # Raised when Login Token is invalid
+    class InvalidLoginToken < RuntimeError; end
+
     # Raised when a client is unable to sign a request because
     # the bearer token is not configured or available
     class MissingBearerTokenError < RuntimeError
@@ -236,6 +239,15 @@ module Aws
       end
     end
 
+    # Raised when a client is constructed and the sigv4a region set is invalid.
+    # It is invalid when it is empty and/or contains empty strings.
+    class InvalidRegionSetError < ArgumentError
+      def initialize(*args)
+        msg = 'The provided sigv4a region set was empty or invalid.'
+        super(msg)
+      end
+    end
+
     # Raised when a client is contsructed and the region is not valid.
     class InvalidRegionError < ArgumentError
       def initialize(*args)