aws-sdk-core 3.220.1 → 3.232.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3240fa70bcc8af09bd2cf7dfaaa5801cb7786c7fd253beff8d859e6a65a4b135
-  data.tar.gz: cf8950c3f0291a93298b3723eb697d6930f55d6fcc6ddd4ed197db3d2225b8bf
+  metadata.gz: ecdbb0ca615cde813f52b03861d36db189562c896e01499ed8dcd80768085300
+  data.tar.gz: 5ab8e9d52d9f7522afa27ff7c5c6e5e51f27f966ddba8bea62edb153307120c9
 SHA512:
-  metadata.gz: d2cbfdcdb577a82a691c172f3f69785e0d0ab980fdf2cbb9387ef60c8b32531a0804f7cee8c799e7be17f8c6c2a43956fec8ad6425147516c1aaec75a3e6cb42
-  data.tar.gz: 0de986f5a38fc00014c90010e259c30c1c30714f8191aa1858af4a2bc6cf075ffd52d8caf1da4eacaaab0b987bc5cf245061d951b8fe86be0cba0b0f793a38fa
+  metadata.gz: b23f5bc51a113cfb8b6c0f7306d42c97872d2eff0c5fa0b395b9e714045c8a3446e91313d6d17317419520229ea809097e3abb794f2f448bd698ec982841032f
+  data.tar.gz: a02785a5b072cb04d27203fb6e990cfa01b10c59f8abdb221b0181b4d07d56a04d0bcc67f308a10fbeba0f3facdadabb77918815e10dbcd8629df25a6d41cc42

data/CHANGELOG.md

@@ -1,6 +1,146 @@
 Unreleased Changes
 ------------------
 
+3.232.0 (2025-08-28)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Remove incorrect endpoint tests
+
+3.231.0 (2025-08-26)
+------------------
+
+* Feature - Remove incorrect endpoint tests
+
+* Feature - Add support for ENV as credential source for `AssumeRoleCredentials`.
+
+3.230.0 (2025-08-21)
+------------------
+
+* Feature - Remove incorrect endpoint tests
+
+3.229.0 (2025-08-04)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.228.0 (2025-07-31)
+------------------
+
+* Feature - Add `bigdecimal` as a dependency. For systems that are not able to build native extension gems, prefer the locally installed `bigdecimal` with `bundle install --prefer-local`.
+
+3.227.0 (2025-07-21)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support an auth scheme signing preference list using `ENV['AWS_AUTH_SCHEME_PREFERENCE']` or `auth_scheme_preference` in shared configuration.
+
+* Feature - Support metric tracking for Bedrock Bearer tokens.
+
+3.226.3 (2025-07-17)
+------------------
+
+* Issue - Skip `Aws::InstanceProfileCredentials` instantiation when `ENV['AWS_EC2_METADATA_DISABLED']` is set to `true` in the credential resolution chain.
+
+* Issue - Refactor `InstanceProfileCredentials` to improve code clarity and documentation. 
+
+3.226.2 (2025-07-01)
+------------------
+
+* Issue - Document incorrect behavior in protocol error parsing (specifically around query and query compatible services).
+
+3.226.1 (2025-06-24)
+------------------
+
+* Issue - Fixed spelling in the `Aws::Errors::SignalEventError` error message.
+
+3.226.0 (2025-06-17)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - The AWS Security Token Service APIs AssumeRoleWithSAML and AssumeRoleWithWebIdentity can now be invoked without pre-configured AWS credentials in the SDK configuration.
+
+3.225.2 (2025-06-10)
+------------------
+
+* Issue - Only load required `cgi` modules for Ruby 3.5.
+
+3.225.1 (2025-06-05)
+------------------
+
+* Issue - Fix RPCv2 parser to handle flattened list and flattened map members correctly for `AwsQueryCompatible` services.
+
+3.225.0 (2025-06-02)
+------------------
+
+* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 2.5 and 2.6.
+
+3.224.1 (2025-05-28)
+------------------
+
+* Issue - Signal data in http response listeners prior to writing, so that data can be inspected or verified before potential mutation.
+
+3.224.0 (2025-05-12)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support `ENV['AWS_DISABLE_HOST_PREFIX_INJECTION']` and `disable_host_prefix_injection` shared config to disable host prefix injection for all services.
+
+3.223.0 (2025-05-01)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+3.222.3 (2025-04-28)
+------------------
+
+* Issue - Do not dynamically create operation methods from the API. (#3234)
+
+3.222.2 (2025-04-16)
+------------------
+
+* Issue - Additional metrics collection for credentials in the User-Agent plugin.
+
+3.222.1 (2025-03-28)
+------------------
+
+* Issue - Allow explicit modeled headers to override prefixed headers for `rest` protocols. 
+
+3.222.0 (2025-03-27)
+------------------
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - This release adds AwsAdditionalDetails in the CreateTokenWithIAM API response.
+
+3.221.0 (2025-03-24)
+------------------
+
+* Feature - Add `logger` as an explicit dependency for Ruby 3.5.
+* Issue - Enable ALPN over TLS for H2 Connection by default.
+* Issue - Fix HTTP-2 connections to properly use config values configured on the client.
+
+3.220.2 (2025-03-20)
+------------------
+
+* Issue - Enable ALPN over TLS for H2 by default.
+
 3.220.1 (2025-03-06)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.220.1
+3.232.0

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -50,6 +50,7 @@ module Aws
       end
       @client = client_opts[:client] || STS::Client.new(client_opts)
       @async_refresh = true
+      @metrics = ['CREDENTIALS_STS_ASSUME_ROLE']
       super
     end
 

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -61,6 +61,7 @@ module Aws
         @assume_role_web_identity_params[:role_session_name] = _session_name
       end
       @client = client_opts[:client] || STS::Client.new(client_opts.merge(credentials: nil))
+      @metrics = ['CREDENTIALS_STS_ASSUME_ROLE_WEB_ID']
       super
     end
 

data/lib/aws-sdk-core/credential_provider.rb

@@ -9,6 +9,10 @@ module Aws
     # @return [Time]
     attr_reader :expiration
 
+    # @api private
+    # Returns UserAgent metrics for credentials.
+    attr_accessor :metrics
+
     # @return [Boolean]
     def set?
       !!@credentials && @credentials.set?

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -42,12 +42,14 @@ module Aws
 
     def static_credentials(options)
       if options[:config]
-        Credentials.new(
+        creds = Credentials.new(
           options[:config].access_key_id,
           options[:config].secret_access_key,
           options[:config].session_token,
           account_id: options[:config].account_id
         )
+        creds.metrics = ['CREDENTIALS_PROFILE']
+        creds
       end
     end
 
@@ -76,7 +78,9 @@ module Aws
 
     def static_profile_credentials(options)
       if options[:config] && options[:config].profile
-        SharedCredentials.new(profile_name: options[:config].profile)
+        creds = SharedCredentials.new(profile_name: options[:config].profile)
+        creds.metrics = ['CREDENTIALS_PROFILE']
+        creds
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -85,7 +89,11 @@ module Aws
     def static_profile_process_credentials(options)
       if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
         process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
-        ProcessCredentials.new([process_provider]) if process_provider
+        if process_provider
+          creds = ProcessCredentials.new([process_provider])
+          creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
+          creds
+        end
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -96,12 +104,14 @@ module Aws
       secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY]
       token =  %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN]
       account_id = %w[AWS_ACCOUNT_ID]
-      Credentials.new(
+      creds = Credentials.new(
         envar(key),
         envar(secret),
         envar(token),
         account_id: envar(account_id)
       )
+      creds.metrics = ['CREDENTIALS_ENV_VARS']
+      creds
     end
 
     def envar(keys)
@@ -117,7 +127,9 @@ module Aws
 
     def shared_credentials(options)
       profile_name = determine_profile_name(options)
-      SharedCredentials.new(profile_name: profile_name)
+      creds = SharedCredentials.new(profile_name: profile_name)
+      creds.metrics = ['CREDENTIALS_PROFILE']
+      creds
     rescue Errors::NoSuchProfileError
       nil
     end
@@ -126,7 +138,11 @@ module Aws
       profile_name = determine_profile_name(options)
       if Aws.shared_config.config_enabled?
         process_provider = Aws.shared_config.credential_process(profile: profile_name)
-        ProcessCredentials.new([process_provider]) if process_provider
+        if process_provider
+          creds = ProcessCredentials.new([process_provider])
+          creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
+          creds
+        end
       end
     rescue Errors::NoSuchProfileError
       nil
@@ -156,7 +172,11 @@ module Aws
           role_session_name: ENV['AWS_ROLE_SESSION_NAME']
         }
         cfg[:region] = region if region
-        AssumeRoleWebIdentityCredentials.new(cfg)
+        Aws::Plugins::UserAgent.metric('CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN') do
+          creds = AssumeRoleWebIdentityCredentials.new(cfg)
+          creds.metrics << 'CREDENTIALS_ENV_VARS_STS_WEB_ID_TOKEN'
+          creds
+        end
       elsif Aws.shared_config.config_enabled?
         profile = options[:config].profile if options[:config]
         Aws.shared_config.assume_role_web_identity_credentials_from_config(
@@ -171,7 +191,7 @@ module Aws
       if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
          ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
         ECSCredentials.new(options)
-      else
+      elsif !(ENV.fetch('AWS_EC2_METADATA_DISABLED', 'false').downcase == 'true')
         InstanceProfileCredentials.new(options.merge(profile: profile_name))
       end
     end

data/lib/aws-sdk-core/credentials.rb

@@ -14,6 +14,7 @@ module Aws
       @secret_access_key = secret_access_key
       @session_token = session_token
       @account_id = kwargs[:account_id]
+      @metrics = ['CREDENTIALS_CODE']
     end
 
     # @return [String]
@@ -28,6 +29,11 @@ module Aws
     # @return [String, nil]
     attr_reader :account_id
 
+    # @api private
+    # Returns the credentials source. Used for tracking credentials
+    # related UserAgent metrics.
+    attr_accessor :metrics
+
     # @return [Credentials]
     def credentials
       self

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -77,6 +77,7 @@ module Aws
       @http_debug_output = options[:http_debug_output]
       @backoff = backoff(options[:backoff])
       @async_refresh = false
+      @metrics = ['CREDENTIALS_HTTP']
       super
     end
 

data/lib/aws-sdk-core/endpoints/matchers.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-require 'cgi'
+require "cgi/escape"
+require "cgi/util" if RUBY_VERSION < "3.5"
 
 module Aws
   module Endpoints

data/lib/aws-sdk-core/endpoints.rb

@@ -19,19 +19,28 @@ require 'aws-sigv4'
 module Aws
   # @api private
   module Endpoints
-    SUPPORTED_AUTH_TRAITS = %w[
-      aws.auth#sigv4
-      aws.auth#sigv4a
-      smithy.api#httpBearerAuth
-      smithy.api#noAuth
-    ].freeze
+    # Maps config auth scheme preferences to endpoint auth scheme names.
+    ENDPOINT_AUTH_PREFERENCE_MAP = {
+      'sigv4' => %w[sigv4 sigv4-s3express],
+      'sigv4a' => ['sigv4a'],
+      'httpBearerAuth' => ['bearer'],
+      'noAuth' => ['none']
+    }.freeze
+    SUPPORTED_ENDPOINT_AUTH = ENDPOINT_AUTH_PREFERENCE_MAP.values.flatten.freeze
+
+    # Maps configured auth scheme preferences to modeled auth traits.
+    MODELED_AUTH_PREFERENCE_MAP = {
+      'sigv4' => 'aws.auth#sigv4',
+      'sigv4a' => 'aws.auth#sigv4a',
+      'httpBearerAuth' => 'smithy.api#httpBearerAuth',
+      'noAuth' => 'smithy.api#noAuth'
+    }.freeze
+    SUPPORTED_MODELED_AUTH = MODELED_AUTH_PREFERENCE_MAP.values.freeze
 
     class << self
       def resolve_auth_scheme(context, endpoint)
         if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
-          auth_scheme = auth_schemes.find do |scheme|
-            Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES.include?(scheme['name'])
-          end
+          auth_scheme = endpoint_auth_scheme_preference(auth_schemes, context.config.auth_scheme_preference)
           raise 'No supported auth scheme for this endpoint.' unless auth_scheme
 
           merge_signing_defaults(auth_scheme, context.config)
@@ -42,6 +51,16 @@ module Aws
 
       private
 
+      def endpoint_auth_scheme_preference(auth_schemes, preferred_auth)
+        ordered_auth = preferred_auth.each_with_object([]) do |pref, list|
+          next unless ENDPOINT_AUTH_PREFERENCE_MAP.key?(pref)
+
+          ENDPOINT_AUTH_PREFERENCE_MAP[pref].each { |name| list << { 'name' => name } }
+        end
+        ordered_auth += auth_schemes
+        ordered_auth.find { |auth| SUPPORTED_ENDPOINT_AUTH.include?(auth['name']) }
+      end
+
       def merge_signing_defaults(auth_scheme, config)
         if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
           auth_scheme['signingName'] ||= sigv4_name(config)
@@ -64,13 +83,12 @@ module Aws
       end
 
       def sigv4_name(config)
-        config.api.metadata['signingName'] ||
-          config.api.metadata['endpointPrefix']
+        config.api.metadata['signingName'] || config.api.metadata['endpointPrefix']
       end
 
       def default_auth_scheme(context)
-        if (auth_list = default_api_auth(context))
-          auth = auth_list.find { |a| SUPPORTED_AUTH_TRAITS.include?(a) }
+        if (modeled_auth = default_api_auth(context))
+          auth = modeled_auth_scheme_preference(modeled_auth, context.config.auth_scheme_preference)
           case auth
           when 'aws.auth#sigv4', 'aws.auth#sigv4a'
             auth_scheme = { 'name' => auth.split('#').last }
@@ -93,6 +111,12 @@ module Aws
         end
       end
 
+      def modeled_auth_scheme_preference(modeled_auth, preferred_auth)
+        ordered_auth = preferred_auth.map { |pref| MODELED_AUTH_PREFERENCE_MAP[pref] }.compact
+        ordered_auth += modeled_auth
+        ordered_auth.find { |auth| SUPPORTED_MODELED_AUTH.include?(auth) }
+      end
+
       def default_api_auth(context)
         context.config.api.operation(context.operation_name)['auth'] ||
           context.config.api.metadata['auth']

data/lib/aws-sdk-core/error_handler.rb

@@ -1,12 +1,17 @@
 # frozen_string_literal: true
 
 module Aws
+  # @api private
   class ErrorHandler < Seahorse::Client::Handler
 
     private
 
     def error(context)
       body = context.http_response.body_contents
+      # This is not correct per protocol tests. Some headers will determine the error code.
+      # If the body is empty, there is still potentially an error code from the header, but
+      # we are making a generic http status error instead. In a new major version, we should
+      # always try to extract header, and during extraction, check headers and body.
       if body.empty?
         code, message, data = http_status_error(context)
       else

data/lib/aws-sdk-core/errors.rb

@@ -68,7 +68,7 @@ module Aws
       end
     end
 
-    # Rasied when endpoint discovery failed for operations
+    # Raised when endpoint discovery failed for operations
     # that requires endpoints from endpoint discovery
     class EndpointDiscoveryError < RuntimeError
       def initialize(*args)
@@ -78,7 +78,7 @@ module Aws
       end
     end
 
-    # raised when hostLabel member is not provided
+    # Raised when hostLabel member is not provided
     # at operation input when endpoint trait is available
     # with 'hostPrefix' requirement
     class MissingEndpointHostLabelValue < RuntimeError

data/lib/aws-sdk-core/event_emitter.rb

@@ -31,7 +31,7 @@ module Aws
     def emit(type, params)
       unless @stream
         raise Aws::Errors::SignalEventError.new(
-          "Singaling events before making async request"\
+          "Signaling events before making async request"\
           " is not allowed."
         )
       end