aws-sdk-core 3.211.0 → 3.225.0

data/lib/aws-sdk-sts/types.rb

@@ -26,10 +26,21 @@ module Aws::STS
     #   that use the temporary security credentials will expose the role
     #   session name to the external account in their CloudTrail logs.
     #
+    #   For security purposes, administrators can view this field in
+    #   [CloudTrail logs][1] to help identify who performed an action in
+    #   Amazon Web Services. Your administrator might require that you
+    #   specify your user name as the session name when you assume the role.
+    #   For more information, see [ `sts:RoleSessionName` ][2].
+    #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
     #   @return [String]
     #
     # @!attribute [rw] policy_arns
@@ -101,6 +112,9 @@ module Aws::STS
     #
     #    </note>
     #
+    #   For more information about role session permissions, see [Session
+    #   policies][1].
+    #
     #
     #
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
@@ -125,8 +139,7 @@ module Aws::STS
     #   However, if you assume a role using role chaining and provide a
     #   `DurationSeconds` parameter value greater than one hour, the
     #   operation fails. To learn how to view the maximum value for your
-    #   role, see [View the Maximum Session Duration Setting for a Role][1]
-    #   in the *IAM User Guide*.
+    #   role, see [Update the maximum session duration for a role][1].
     #
     #   By default, the value is set to `3600` seconds.
     #
@@ -142,7 +155,7 @@ module Aws::STS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration
     #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
     #   @return [Integer]
     #
@@ -199,9 +212,8 @@ module Aws::STS
     #   passes to subsequent sessions in a role chain. For more information,
     #   see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
     #
-    #   This parameter is optional. When you set session tags as transitive,
-    #   the session policy and session tags packed binary limit is not
-    #   affected.
+    #   This parameter is optional. The transitive status of a session tag
+    #   does not impact its packed binary size.
     #
     #   If you choose not to specify a transitive tag key, then no tags are
     #   passed from this session to any subsequent sessions.
@@ -263,28 +275,31 @@ module Aws::STS
     #
     # @!attribute [rw] source_identity
     #   The source identity specified by the principal that is calling the
-    #   `AssumeRole` operation.
+    #   `AssumeRole` operation. The source identity value persists across
+    #   [chained role][1] sessions.
     #
     #   You can require users to specify a source identity when they assume
-    #   a role. You do this by using the `sts:SourceIdentity` condition key
-    #   in a role trust policy. You can use source identity information in
-    #   CloudTrail logs to determine who took actions with a role. You can
-    #   use the `aws:SourceIdentity` condition key to further control access
-    #   to Amazon Web Services resources based on the value of source
-    #   identity. For more information about using source identity, see
-    #   [Monitor and control actions taken with assumed roles][1] in the
-    #   *IAM User Guide*.
+    #   a role. You do this by using the [ `sts:SourceIdentity` ][2]
+    #   condition key in a role trust policy. You can use source identity
+    #   information in CloudTrail logs to determine who took actions with a
+    #   role. You can use the `aws:SourceIdentity` condition key to further
+    #   control access to Amazon Web Services resources based on the value
+    #   of source identity. For more information about using source
+    #   identity, see [Monitor and control actions taken with assumed
+    #   roles][3] in the *IAM User Guide*.
     #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
-    #   characters: =,.@-. You cannot use a value that begins with the text
+    #   characters: +=,.@-. You cannot use a value that begins with the text
     #   `aws:`. This prefix is reserved for Amazon Web Services internal
     #   use.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
     #   @return [String]
     #
     # @!attribute [rw] provided_contexts
@@ -297,7 +312,7 @@ module Aws::STS
     #   context provider from which the trusted context assertion was
     #   generated.
     #
-    #   `[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]`
+    #   `[{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]`
     #   @return [Array<Types::ProvidedContext>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
@@ -465,6 +480,9 @@ module Aws::STS
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
+    #   For more information about role session permissions, see [Session
+    #   policies][1].
+    #
     #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
     #   session policy, managed policy ARNs, and session tags into a packed
     #   binary format that has a separate limit. Your request can fail for
@@ -600,6 +618,8 @@ module Aws::STS
     #
     # @!attribute [rw] source_identity
     #   The value in the `SourceIdentity` attribute in the SAML assertion.
+    #   The source identity value persists across [chained role][1]
+    #   sessions.
     #
     #   You can require users to set a source identity value when they
     #   assume a role. You do this by using the `sts:SourceIdentity`
@@ -607,12 +627,12 @@ module Aws::STS
     #   taken with the role are associated with that user. After the source
     #   identity is set, the value cannot be changed. It is present in the
     #   request for all actions that are taken by the role and persists
-    #   across [chained role][1] sessions. You can configure your SAML
+    #   across [chained role][2] sessions. You can configure your SAML
     #   identity provider to use an attribute associated with your users,
     #   like user name or email, as the source identity when calling
     #   `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
     #   assertion. For more information about using source identity, see
-    #   [Monitor and control actions taken with assumed roles][2] in the
+    #   [Monitor and control actions taken with assumed roles][3] in the
     #   *IAM User Guide*.
     #
     #   The regex used to validate this parameter is a string of characters
@@ -622,8 +642,9 @@ module Aws::STS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
-    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
@@ -645,6 +666,24 @@ module Aws::STS
     # @!attribute [rw] role_arn
     #   The Amazon Resource Name (ARN) of the role that the caller is
     #   assuming.
+    #
+    #   <note markdown="1"> Additional considerations apply to Amazon Cognito identity pools
+    #   that assume [cross-account IAM roles][1]. The trust policies of
+    #   these roles must accept the `cognito-identity.amazonaws.com` service
+    #   principal and must contain the `cognito-identity.amazonaws.com:aud`
+    #   condition key to restrict role assumption to users from your
+    #   intended identity pools. A policy that trusts Amazon Cognito
+    #   identity pools without this condition creates a risk that a user
+    #   from an unintended identity pool can assume the role. For more
+    #   information, see [ Trust policies for IAM roles in Basic (Classic)
+    #   authentication ][2] in the *Amazon Cognito Developer Guide*.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies
     #   @return [String]
     #
     # @!attribute [rw] role_session_name
@@ -655,10 +694,21 @@ module Aws::STS
     #   session name is included as part of the ARN and assumed role ID in
     #   the `AssumedRoleUser` response element.
     #
+    #   For security purposes, administrators can view this field in
+    #   [CloudTrail logs][1] to help identify who performed an action in
+    #   Amazon Web Services. Your administrator might require that you
+    #   specify your user name as the session name when you assume the role.
+    #   For more information, see [ `sts:RoleSessionName` ][2].
+    #
     #   The regex used to validate this parameter is a string of characters
     #   consisting of upper- and lower-case alphanumeric characters with no
     #   spaces. You can also include underscores or any of the following
     #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname
     #   @return [String]
     #
     # @!attribute [rw] web_identity_token
@@ -666,8 +716,10 @@ module Aws::STS
     #   provided by the identity provider. Your application must get this
     #   token by authenticating the user who is using your application with
     #   a web identity provider before the application makes an
-    #   `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
-    #   (RS256) are supported.
+    #   `AssumeRoleWithWebIdentity` call. Timestamps in the token must be
+    #   formatted as either an integer or a long integer. Tokens must be
+    #   signed using either RSA keys (RS256, RS384, or RS512) or ECDSA keys
+    #   (ES256, ES384, or ES512).
     #   @return [String]
     #
     # @!attribute [rw] provider_id
@@ -741,6 +793,9 @@ module Aws::STS
     #   include the tab (\\u0009), linefeed (\\u000A), and carriage return
     #   (\\u000D) characters.
     #
+    #   For more information about role session permissions, see [Session
+    #   policies][1].
+    #
     #   <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
     #   session policy, managed policy ARNs, and session tags into a packed
     #   binary format that has a separate limit. Your request can fail for
@@ -881,7 +936,7 @@ module Aws::STS
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts
     #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
     #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
     #   @return [String]
@@ -900,6 +955,92 @@ module Aws::STS
       include Aws::Structure
     end
 
+    # @!attribute [rw] target_principal
+    #   The member account principal ARN or account ID.
+    #   @return [String]
+    #
+    # @!attribute [rw] task_policy_arn
+    #   The identity based policy that scopes the session to the privileged
+    #   tasks that can be performed. You can use one of following Amazon Web
+    #   Services managed policies to scope root session actions.
+    #
+    #   * [IAMAuditRootUserCredentials][1]
+    #
+    #   * [IAMCreateRootUserPassword][2]
+    #
+    #   * [IAMDeleteRootUserCredentials][3]
+    #
+    #   * [S3UnlockBucketPolicy][4]
+    #
+    #   * [SQSUnlockQueuePolicy][5]
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
+    #   [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
+    #   [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
+    #   [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
+    #   @return [Types::PolicyDescriptorType]
+    #
+    # @!attribute [rw] duration_seconds
+    #   The duration, in seconds, of the privileged session. The value can
+    #   range from 0 seconds up to the maximum session duration of 900
+    #   seconds (15 minutes). If you specify a value higher than this
+    #   setting, the operation fails.
+    #
+    #   By default, the value is set to `900` seconds.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootRequest AWS API Documentation
+    #
+    class AssumeRootRequest < Struct.new(
+      :target_principal,
+      :task_policy_arn,
+      :duration_seconds)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] credentials
+    #   The temporary security credentials, which include an access key ID,
+    #   a secret access key, and a security token.
+    #
+    #   <note markdown="1"> The size of the security token that STS API operations return is not
+    #   fixed. We strongly recommend that you make no assumptions about the
+    #   maximum size.
+    #
+    #    </note>
+    #   @return [Types::Credentials]
+    #
+    # @!attribute [rw] source_identity
+    #   The source identity specified by the principal that is calling the
+    #   `AssumeRoot` operation.
+    #
+    #   You can use the `aws:SourceIdentity` condition key to control access
+    #   based on the value of source identity. For more information about
+    #   using source identity, see [Monitor and control actions taken with
+    #   assumed roles][1] in the *IAM User Guide*.
+    #
+    #   The regex used to validate this parameter is a string of characters
+    #   consisting of upper- and lower-case alphanumeric characters with no
+    #   spaces. You can also include underscores or any of the following
+    #   characters: =,.@-
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRootResponse AWS API Documentation
+    #
+    class AssumeRootResponse < Struct.new(
+      :credentials,
+      :source_identity)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The identifiers for the temporary security credentials that the
     # operation returns.
     #
@@ -1419,7 +1560,8 @@ module Aws::STS
 
     # The error returned if the message passed to
     # `DecodeAuthorizationMessage` was invalid. This can happen if the token
-    # contains invalid characters, such as linebreaks.
+    # contains invalid characters, such as line breaks, or if the message
+    # has expired.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1539,8 +1681,8 @@ module Aws::STS
     # STS is not activated in the requested region for the account that is
     # being asked to generate credentials. The account administrator must
     # use the IAM console to activate STS in that region. For more
-    # information, see [Activating and Deactivating Amazon Web Services STS
-    # in an Amazon Web Services Region][1] in the *IAM User Guide*.
+    # information, see [Activating and Deactivating STS in an Amazon Web
+    # Services Region][1] in the *IAM User Guide*.
     #
     #
     #

data/lib/aws-sdk-sts.rb

@@ -56,7 +56,7 @@ module Aws::STS
   autoload :EndpointProvider, 'aws-sdk-sts/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-sts/endpoints'
 
-  GEM_VERSION = '3.211.0'
+  GEM_VERSION = '3.225.0'
 
 end
 

data/lib/seahorse/client/async_base.rb

@@ -3,7 +3,6 @@
 module Seahorse
   module Client
     class AsyncBase < Seahorse::Client::Base
-
       # default H2 plugins
       # @api private
       @plugins = PluginList.new([
@@ -11,10 +10,10 @@ module Seahorse
         Plugins::H2,
         Plugins::ResponseTarget
       ])
+
       def initialize(plugins, options)
-        super
-        @connection = H2::Connection.new(options)
-        @options = options
+        super(plugins, options)
+        @connection = H2::Connection.new(@config)
       end
 
       # @return [H2::Connection]
@@ -36,7 +35,7 @@ module Seahorse
       # @return [Seahorse::Client::H2::Connection]
       def new_connection
         if @connection.closed?
-          @connection = H2::Connection.new(@options)
+          @connection = H2::Connection.new(@config)
         else
           @connection
         end

data/lib/seahorse/client/base.rb

@@ -176,8 +176,6 @@ module Seahorse
         # @return [Model::Api]
         def set_api(api)
           @api = api
-          define_operation_methods
-          @api
         end
 
         # @option options [Model::Api, Hash] :api ({})
@@ -196,18 +194,6 @@ module Seahorse
 
         private
 
-        def define_operation_methods
-          operations_module = Module.new
-          @api.operation_names.each do |method_name|
-            operations_module.send(:define_method, method_name) do |*args, &block|
-              params = args[0] || {}
-              options = args[1] || {}
-              build_request(method_name, params).send_request(options, &block)
-            end
-          end
-          include(operations_module)
-        end
-
         def build_plugins(plugins)
           plugins.map { |plugin| plugin.is_a?(Class) ? plugin.new : plugin }
         end

data/lib/seahorse/client/h2/connection.rb

@@ -10,13 +10,8 @@ module Seahorse
   module Client
     # @api private
     module H2
-
       # H2 Connection build on top of `http/2` gem
-      # (requires Ruby >= 2.1)
-      # with TLS layer plus ALPN, requires:
-      # Ruby >= 2.3 and OpenSSL >= 1.0.2
       class Connection
-
         OPTIONS = {
           max_concurrent_streams: 100,
           connection_timeout: 60,
@@ -27,7 +22,7 @@ module Seahorse
           ssl_ca_bundle: nil,
           ssl_ca_directory: nil,
           ssl_ca_store: nil,
-          enable_alpn: false
+          enable_alpn: true
         }
 
         # chunk read size at socket
@@ -41,25 +36,23 @@ module Seahorse
             instance_variable_set("@#{opt_name}", value)
           end
           @h2_client = HTTP2::Client.new(
-            settings_max_concurrent_streams: max_concurrent_streams
+            settings_max_concurrent_streams: @max_concurrent_streams
           )
-          @logger = if @http_wire_trace
-            options[:logger] || Logger.new($stdout)
-          end
+          @logger ||= Logger.new($stdout) if @http_wire_trace
           @chunk_size = options[:read_chunk_size] || CHUNKSIZE
+
           @errors = []
           @status = :ready
+
           @mutex = Mutex.new # connection can be shared across requests
           @socket = nil
           @socket_thread = nil
         end
 
         OPTIONS.keys.each do |attr_name|
-          attr_reader(attr_name)
+          attr_reader attr_name
         end
 
-        alias ssl_verify_peer? ssl_verify_peer
-
         attr_reader :errors
 
         attr_accessor :input_signal_thread
@@ -112,7 +105,7 @@ module Seahorse
                   @h2_client << data
                 rescue IO::WaitReadable
                   begin
-                    unless IO.select([@socket], nil, nil, connection_read_timeout)
+                    unless IO.select([@socket], nil, nil, @connection_read_timeout)
                       self.debug_output('socket connection read time out')
                       self.close!
                     else
@@ -154,11 +147,11 @@ module Seahorse
         end
 
         def debug_output(msg, type = nil)
-          prefix = case type
+          prefix =
+            case type
             when :send then '-> '
             when :receive then '<- '
-            else
-              ''
+            else ''
             end
           return unless @logger
           _debug_entry(prefix + msg)
@@ -206,7 +199,7 @@ module Seahorse
           begin
             tcp.connect_nonblock(addr)
           rescue IO::WaitWritable
-            unless IO.select(nil, [tcp], nil, connection_timeout)
+            unless IO.select(nil, [tcp], nil, @connection_timeout)
               tcp.close
               raise
             end
@@ -220,15 +213,15 @@ module Seahorse
 
         def _tls_context
           ssl_ctx = OpenSSL::SSL::SSLContext.new(:TLSv1_2)
-          if ssl_verify_peer?
+          if @ssl_verify_peer
             ssl_ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
-            ssl_ctx.ca_file = ssl_ca_bundle ? ssl_ca_bundle : _default_ca_bundle
-            ssl_ctx.ca_path = ssl_ca_directory ? ssl_ca_directory : _default_ca_directory
-            ssl_ctx.cert_store = ssl_ca_store if ssl_ca_store
+            ssl_ctx.ca_file = @ssl_ca_bundle || _default_ca_bundle
+            ssl_ctx.ca_path = @ssl_ca_directory || _default_ca_directory
+            ssl_ctx.cert_store = @ssl_ca_store if @ssl_ca_store
           else
             ssl_ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
           end
-          if enable_alpn
+          if @enable_alpn
             debug_output('enabling ALPN for TLS ...')
             ssl_ctx.alpn_protocols = ['h2']
           end
@@ -236,15 +229,12 @@ module Seahorse
         end
 
         def _default_ca_bundle
-          File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE) ?
-            OpenSSL::X509::DEFAULT_CERT_FILE : nil
+          OpenSSL::X509::DEFAULT_CERT_FILE if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
         end
 
         def _default_ca_directory
-          Dir.exist?(OpenSSL::X509::DEFAULT_CERT_DIR) ?
-            OpenSSL::X509::DEFAULT_CERT_DIR : nil
+          OpenSSL::X509::DEFAULT_CERT_DIR if Dir.exist?(OpenSSL::X509::DEFAULT_CERT_DIR)
         end
-
       end
     end
   end

data/lib/seahorse/client/http/response.rb

@@ -66,8 +66,8 @@ module Seahorse
         # @param [string] chunk
         def signal_data(chunk)
           unless chunk == ''
-            @body.write(chunk)
             emit(:data, chunk)
+            @body.write(chunk)
           end
         end
 

data/lib/seahorse/client/net_http/connection_pool.rb

@@ -336,6 +336,8 @@ module Seahorse
           attr_reader :last_used
 
           def __getobj__
+            return yield if block_given? && !defined?(@http)
+
             @http
           end
 

data/lib/seahorse/client/networking_error.rb

@@ -39,7 +39,7 @@ module Seahorse
 
     end
 
-    # Rasied when trying to use an closed connection
+    # Raised when trying to use an closed connection
     class Http2ConnectionClosedError < StandardError; end
   end
 end

data/lib/seahorse/client/plugins/h2.rb

@@ -53,10 +53,10 @@ When `true`, SSL peer certificates are verified when establishing a connection.
 When `true`, HTTP2 debug output will be sent to the `:logger`.
         DOCS
 
-        option(:enable_alpn, default: false, doc_type: 'Boolean', docstring: <<-DOCS)
-Set to `true` to enable ALPN in HTTP2 over TLS. Requires Openssl version >= 1.0.2.
-Defaults to false. Note: not all service HTTP2 operations supports ALPN on server
-side, please refer to service documentation.
+        option(:enable_alpn, default: true, doc_type: 'Boolean', docstring: <<-DOCS)
+Set to `false` to disable ALPN in HTTP2 over TLS. ALPN requires Openssl version >= 1.0.2.
+Note: RFC7540 requires HTTP2 to use ALPN over TLS but some
+services may not fully support ALPN and require setting this to `false`.
         DOCS
 
         option(:logger)

data/lib/seahorse/client/response.rb

@@ -75,6 +75,8 @@ module Seahorse
       # Necessary to define as a subclass of Delegator
       # @api private
       def __getobj__
+        return yield if block_given? && !defined?(@data)
+
         @data
       end
 

data/sig/aws-sdk-core/async_client_stubs.rbs

@@ -0,0 +1,21 @@
+module Aws
+  module AsyncClientStubs
+    include ClientStubs
+
+    def send_events: () -> untyped
+
+    class StubsStream
+      def initialize: () -> void
+
+      attr_accessor send_events: untyped
+
+      attr_reader state: Symbol
+
+      def data: (untyped bytes, ?::Hash[untyped, untyped] options) -> untyped
+
+      def closed?: () -> bool
+
+      def close: () -> void
+    end
+  end
+end

data/sig/seahorse/client/async_base.rbs

@@ -0,0 +1,18 @@
+module Seahorse
+  module Client
+    class AsyncBase < Base
+
+      def self.new: (?untyped options) -> instance
+
+      attr_reader connection: untyped
+
+      def operation_names: () -> Array[Symbol]
+
+      def close_connection: () -> Symbol
+
+      def new_connection: () -> untyped
+
+      def connection_errors: () -> Array[untyped]
+    end
+  end
+end