aws-sdk-core 3.209.1 → 3.240.0

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -11,7 +11,7 @@ module Aws
     def resolve
       providers.each do |method_name, options|
         provider = send(method_name, options.merge(config: @config))
-        return provider if provider && provider.set?
+        return provider if provider&.set?
       end
       nil
     end
@@ -25,12 +25,14 @@ module Aws
         [:static_profile_sso_credentials, {}],
         [:static_profile_assume_role_credentials, {}],
         [:static_profile_credentials, {}],
+        [:static_profile_login_credentials, {}],
         [:static_profile_process_credentials, {}],
         [:env_credentials, {}],
         [:assume_role_web_identity_credentials, {}],
         [:sso_credentials, {}],
         [:assume_role_credentials, {}],
         [:shared_credentials, {}],
+        [:login_credentials, {}],
         [:process_credentials, {}],
         [:instance_profile_credentials, {
           retries: @config ? @config.instance_profile_credentials_retries : 0,
@@ -42,51 +44,92 @@ module Aws
 
     def static_credentials(options)
       if options[:config]
-        Credentials.new(
+        creds = Credentials.new(
           options[:config].access_key_id,
           options[:config].secret_access_key,
           options[:config].session_token,
           account_id: options[:config].account_id
         )
+        creds.metrics = ['CREDENTIALS_PROFILE']
+        creds
       end
     end
 
     def static_profile_assume_role_web_identity_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        Aws.shared_config.assume_role_web_identity_credentials_from_config(
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.assume_role_web_identity_credentials_from_config(
           profile: options[:config].profile,
           region: options[:config].region
         )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_sso_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        Aws.shared_config.sso_credentials_from_config(
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.sso_credentials_from_config(
           profile: options[:config].profile
         )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_assume_role_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        assume_role_with_profile(options, options[:config].profile)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = assume_role_with_profile(options, options[:config].profile)
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_credentials(options)
-      if options[:config] && options[:config].profile
-        SharedCredentials.new(profile_name: options[:config].profile)
-      end
+      return unless options[:config]&.profile
+
+      creds = SharedCredentials.new(profile_name: options[:config].profile)
+      creds.metrics << 'CREDENTIALS_PROFILE'
+      creds
     rescue Errors::NoSuchProfileError
       nil
     end
 
-    def static_profile_process_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
-        ProcessCredentials.new([process_provider]) if process_provider
+    def static_profile_login_credentials(options)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.login_credentials_from_config(
+          profile: options[:config].profile,
+          region: options[:config].region
+        )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
+    end
+
+    def static_profile_process_credentials(options)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
+      return unless process_provider
+
+      creds = ProcessCredentials.new([process_provider])
+      creds.metrics.concat(%w[CREDENTIALS_PROFILE_PROCESS CREDENTIALS_CODE])
+      creds
     rescue Errors::NoSuchProfileError
       nil
     end
@@ -96,12 +139,14 @@ module Aws
       secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
       token =  %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
       account_id = %w[AWS_ACCOUNT_ID]
-      Credentials.new(
+      creds = Credentials.new(
         envar(key),
         envar(secret),
         envar(token),
         account_id: envar(account_id)
       )
+      creds.metrics = ['CREDENTIALS_ENV_VARS']
+      creds
     end
 
     def envar(keys)
@@ -112,12 +157,24 @@ module Aws
     end
 
     def determine_profile_name(options)
-      (options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+      (options[:config]&.profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
     end
 
     def shared_credentials(options)
       profile_name = determine_profile_name(options)
-      SharedCredentials.new(profile_name: profile_name)
+      creds = SharedCredentials.new(profile_name: profile_name)
+      creds.metrics = ['CREDENTIALS_PROFILE']
+      creds
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def login_credentials(options)
+      return unless Aws.shared_config.config_enabled?
+
+      profile_name = determine_profile_name(options)
+      region = options[:config].region if options[:config]
+      Aws.shared_config.login_credentials_from_config(profile: profile_name, region: region)
     rescue Errors::NoSuchProfileError
       nil
     end
@@ -126,7 +183,11 @@ module Aws
       profile_name = determine_profile_name(options)
       if Aws.shared_config.config_enabled?
         process_provider = Aws.shared_config.credential_process(profile: profile_name)
-        ProcessCredentials.new([process_provider]) if process_provider
+        if process_provider
+          creds = ProcessCredentials.new([process_provider])
+          creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
+          creds
+        end
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -156,7 +217,11 @@ module Aws
           role_session_name: ENV['AWS_ROLE_SESSION_NAME']
         }
         cfg[:region] = region if region
-        AssumeRoleWebIdentityCredentials.new(cfg)
+        Aws::Plugins::UserAgent.metric('CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN') do
+          creds = AssumeRoleWebIdentityCredentials.new(cfg)
+          creds.metrics << 'CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN'
+          creds
+        end
       elsif Aws.shared_config.config_enabled?
         profile = options[:config].profile if options[:config]
         Aws.shared_config.assume_role_web_identity_credentials_from_config(
@@ -171,7 +236,7 @@ module Aws
       if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
          ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
         ECSCredentials.new(options)
-      else
+      elsif !(ENV.fetch('AWS_EC2_METADATA_DISABLED', 'false').downcase == 'true')
         InstanceProfileCredentials.new(options.merge(profile: profile_name))
       end
     end
@@ -181,10 +246,14 @@ module Aws
         profile: profile_name,
         chain_config: @config
       }
-      if options[:config] && options[:config].region
+      if options[:config]&.region
         assume_opts[:region] = options[:config].region
       end
       Aws.shared_config.assume_role_credentials_from_config(assume_opts)
     end
+
+    def with_metrics(metrics, &block)
+      Aws::Plugins::UserAgent.metric(*metrics, &block)
+    end
   end
 end

data/lib/aws-sdk-core/credentials.rb

@@ -14,6 +14,7 @@ module Aws
       @secret_access_key = secret_access_key
       @session_token = session_token
       @account_id = kwargs[:account_id]
+      @metrics = ['CREDENTIALS_CODE']
     end
 
     # @return [String]
@@ -28,6 +29,11 @@ module Aws
     # @return [String, nil]
     attr_reader :account_id
 
+    # @api private
+    # Returns the credentials source. Used for tracking credentials
+    # related UserAgent metrics.
+    attr_accessor :metrics
+
     # @return [Credentials]
     def credentials
       self

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -42,26 +42,26 @@ module Aws
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
     # @option options [String] :ip_address ('169.254.170.2') This value is
-    #   ignored if `endpoint` is set and `credential_path` is not set.
-    # @option options [Integer] :port (80) This value is ignored if `endpoint`
-    #   is set and `credential_path` is not set.
+    #   ignored if `:endpoint` is set and `:credential_path` is not set.
+    # @option options [Integer] :port (80) This value is ignored if `:endpoint`
+    #   is set and `:credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
-    #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
+    #   `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` environment variable.
     # @option options [String] :endpoint The container credential endpoint.
-    #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
-    #   environment variable. This value is ignored if `credential_path` or
-    #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
+    #   By default, this is the value of the `AWS_CONTAINER_CREDENTIALS_FULL_URI`
+    #   environment variable. This value is ignored if `:credential_path` or
+    #   `ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']` is set.
     # @option options [Float] :http_open_timeout (5)
     # @option options [Float] :http_read_timeout (5)
-    # @option options [Numeric, Proc] :delay By default, failures are retried
+    # @option options [IO] :http_debug_output (nil) HTTP wire
+    #   traces are sent to this object.  You can specify something
+    #   like `$stdout`.
+    # @option options [Numeric, Proc] :backoff By default, failures are retried
     #   with exponential back-off, i.e. `sleep(1.2 ** num_failures)`. You can
     #   pass a number of seconds to sleep between failed attempts, or
     #   a Proc that accepts the number of failures.
-    # @option options [IO] :http_debug_output (nil) HTTP wire
-    #   traces are sent to this object.  You can specify something
-    #   like $stdout.
-    # @option options [Callable] before_refresh Proc called before
-    #   credentials are refreshed. `before_refresh` is called
+    # @option options [Proc] :before_refresh A Proc called before
+    #   credentials are refreshed. `:before_refresh` is called
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
@@ -77,6 +77,7 @@ module Aws
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
       @async_refresh = false
+      @metrics = ['CREDENTIALS_HTTP']
       super
     end
 

data/lib/aws-sdk-core/endpoints/matchers.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-require 'cgi'
+require "cgi/escape"
+require "cgi/util" if RUBY_VERSION < "3.5"
 
 module Aws
   module Endpoints
@@ -94,14 +95,7 @@ module Aws
 
       # aws.partition(value: string) Option<Partition>
       def self.aws_partition(value)
-        partition =
-          Aws::Partitions.find { |p| p.region?(value) } ||
-          Aws::Partitions.find { |p| value.match(p.region_regex) } ||
-          Aws::Partitions.find { |p| p.name == 'aws' }
-
-        return nil unless partition
-
-        partition.metadata
+        Aws::Partitions::Metadata.partition(value)
       end
 
       # aws.parseArn(value: string) Option<ARN>

data/lib/aws-sdk-core/endpoints.rb

@@ -19,19 +19,28 @@ require 'aws-sigv4'
 module Aws
   # @api private
   module Endpoints
-    SUPPORTED_AUTH_TRAITS = %w[
-      aws.auth#sigv4
-      aws.auth#sigv4a
-      smithy.api#httpBearerAuth
-      smithy.api#noAuth
-    ].freeze
+    # Maps config auth scheme preferences to endpoint auth scheme names.
+    ENDPOINT_AUTH_PREFERENCE_MAP = {
+      'sigv4' => %w[sigv4 sigv4-s3express],
+      'sigv4a' => ['sigv4a'],
+      'httpBearerAuth' => ['bearer'],
+      'noAuth' => ['none']
+    }.freeze
+    SUPPORTED_ENDPOINT_AUTH = ENDPOINT_AUTH_PREFERENCE_MAP.values.flatten.freeze
+
+    # Maps configured auth scheme preferences to modeled auth traits.
+    MODELED_AUTH_PREFERENCE_MAP = {
+      'sigv4' => 'aws.auth#sigv4',
+      'sigv4a' => 'aws.auth#sigv4a',
+      'httpBearerAuth' => 'smithy.api#httpBearerAuth',
+      'noAuth' => 'smithy.api#noAuth'
+    }.freeze
+    SUPPORTED_MODELED_AUTH = MODELED_AUTH_PREFERENCE_MAP.values.freeze
 
     class << self
       def resolve_auth_scheme(context, endpoint)
         if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
-          auth_scheme = auth_schemes.find do |scheme|
-            Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES.include?(scheme['name'])
-          end
+          auth_scheme = endpoint_auth_scheme_preference(auth_schemes, context.config.auth_scheme_preference)
           raise 'No supported auth scheme for this endpoint.' unless auth_scheme
 
           merge_signing_defaults(auth_scheme, context.config)
@@ -42,6 +51,16 @@ module Aws
 
       private
 
+      def endpoint_auth_scheme_preference(auth_schemes, preferred_auth)
+        ordered_auth = preferred_auth.each_with_object([]) do |pref, list|
+          next unless ENDPOINT_AUTH_PREFERENCE_MAP.key?(pref)
+
+          ENDPOINT_AUTH_PREFERENCE_MAP[pref].each { |name| list << { 'name' => name } }
+        end
+        ordered_auth += auth_schemes
+        ordered_auth.find { |auth| SUPPORTED_ENDPOINT_AUTH.include?(auth['name']) }
+      end
+
       def merge_signing_defaults(auth_scheme, config)
         if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
           auth_scheme['signingName'] ||= sigv4_name(config)
@@ -64,13 +83,12 @@ module Aws
       end
 
       def sigv4_name(config)
-        config.api.metadata['signingName'] ||
-          config.api.metadata['endpointPrefix']
+        config.api.metadata['signingName'] || config.api.metadata['endpointPrefix']
       end
 
       def default_auth_scheme(context)
-        if (auth_list = default_api_auth(context))
-          auth = auth_list.find { |a| SUPPORTED_AUTH_TRAITS.include?(a) }
+        if (modeled_auth = default_api_auth(context))
+          auth = modeled_auth_scheme_preference(modeled_auth, context.config.auth_scheme_preference)
           case auth
           when 'aws.auth#sigv4', 'aws.auth#sigv4a'
             auth_scheme = { 'name' => auth.split('#').last }
@@ -93,6 +111,12 @@ module Aws
         end
       end
 
+      def modeled_auth_scheme_preference(modeled_auth, preferred_auth)
+        ordered_auth = preferred_auth.map { |pref| MODELED_AUTH_PREFERENCE_MAP[pref] }.compact
+        ordered_auth += modeled_auth
+        ordered_auth.find { |auth| SUPPORTED_MODELED_AUTH.include?(auth) }
+      end
+
       def default_api_auth(context)
         context.config.api.operation(context.operation_name)['auth'] ||
           context.config.api.metadata['auth']

data/lib/aws-sdk-core/error_handler.rb

@@ -1,12 +1,17 @@
 # frozen_string_literal: true
 
 module Aws
+  # @api private
   class ErrorHandler < Seahorse::Client::Handler
 
     private
 
     def error(context)
       body = context.http_response.body_contents
+      # This is not correct per protocol tests. Some headers will determine the error code.
+      # If the body is empty, there is still potentially an error code from the header, but
+      # we are making a generic http status error instead. In a new major version, we should
+      # always try to extract header, and during extraction, check headers and body.
       if body.empty?
         code, message, data = http_status_error(context)
       else

data/lib/aws-sdk-core/errors.rb

@@ -68,7 +68,7 @@ module Aws
       end
     end
 
-    # Rasied when endpoint discovery failed for operations
+    # Raised when endpoint discovery failed for operations
     # that requires endpoints from endpoint discovery
     class EndpointDiscoveryError < RuntimeError
       def initialize(*args)
@@ -78,7 +78,7 @@ module Aws
       end
     end
 
-    # raised when hostLabel member is not provided
+    # Raised when hostLabel member is not provided
     # at operation input when endpoint trait is available
     # with 'hostPrefix' requirement
     class MissingEndpointHostLabelValue < RuntimeError
@@ -213,6 +213,9 @@ module Aws
     # Raised when SSO Token is invalid
     class InvalidSSOToken < RuntimeError; end
 
+    # Raised when Login Token is invalid
+    class InvalidLoginToken < RuntimeError; end
+
     # Raised when a client is unable to sign a request because
     # the bearer token is not configured or available
     class MissingBearerTokenError < RuntimeError

data/lib/aws-sdk-core/event_emitter.rb

@@ -31,7 +31,7 @@ module Aws
     def emit(type, params)
       unless @stream
         raise Aws::Errors::SignalEventError.new(
-          "Singaling events before making async request"\
+          "Signaling events before making async request"\
           " is not allowed."
         )
       end