aws-sdk-core 3.224.1 → 3.240.0

data/lib/aws-sdk-core/login_credentials.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+module Aws
+  # An auto-refreshing credential provider that retrieves credentials from
+  # a cached login token. This class does NOT implement the AWS Sign-In
+  # login flow - tokens must be generated separately by running `aws login`
+  # from the AWS CLI/AWS Tools for PowerShell with the correct profile.
+  # The {LoginCredentials} will auto-refresh the AWS credentials from AWS Sign-In.
+  #
+  #     # You must first run aws login --profile your-login-profile
+  #     login_credentials = Aws::LoginCredentials.new(login_session: 'my_login_session')
+  #     ec2 = Aws::EC2::Client.new(credentials: login_credentials)
+  #
+  # If you omit the `:client` option, a new {Aws::Signin::Client} object will
+  # be constructed with additional options that were provided.
+  class LoginCredentials
+    include CredentialProvider
+    include RefreshingCredentials
+
+    # @option options [required, String] :login_session An opaque string
+    #   used to determine the cache file location. This value can be found
+    #   in the AWS config file which is set by the AWS CLI/AWS Tools for
+    #   PowerShell automatically.
+    #
+    # @option options [Signin::Client] :client Optional `Signin::Client`.
+    #   If not provided, a client will be constructed.
+    def initialize(options = {})
+      raise ArgumentError, 'Missing login_session' unless options[:login_session]
+
+      @login_session = options.delete(:login_session)
+      @client = options[:client]
+      unless @client
+        client_opts = options.reject { |key, _| CLIENT_EXCLUDE_OPTIONS.include?(key) }
+        @client = Signin::Client.new(client_opts.merge(credentials: nil))
+      end
+      @metrics = ['CREDENTIALS_LOGIN']
+      @async_refresh = true
+      super
+    end
+
+    # @return [Signin::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # First reload the token from disk to ensure it hasn't been refreshed externally
+      token_json = read_cached_token
+      update_creds(token_json['accessToken'])
+      return if @credentials && @expiration && !near_expiration?(sync_expiration_length)
+
+      # Using OpenSSL 3.6.0 may result in errors like "certificate verify failed (unable to get certificate CRL)."
+      # A recommended workaround is to use OpenSSL version < 3.6.0 or requiring the openssl gem with a version of at
+      # least 3.2.2. GitHub issue: https://github.com/openssl/openssl/issues/28752.
+      if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('3.6.') &&
+         (!Gem.loaded_specs['openssl'] || Gem.loaded_specs['openssl'].version < Gem::Version.new('3.2.2'))
+        warn 'WARNING: OpenSSL 3.6.x may cause certificate verify errors - use OpenSSL < 3.6.0 or openssl gem >= 3.2.2'
+      end
+
+      # Attempt to refresh the token
+      attempt_refresh(token_json)
+
+      # Raise if token is hard expired
+      return unless !@expiration || @expiration < Time.now
+
+      raise Errors::InvalidLoginToken,
+            'Login token is invalid and failed to refresh. Please reauthenticate.'
+    end
+
+    def read_cached_token
+      cached_token = JSON.load_file(login_cache_file)
+      validate_cached_token(cached_token)
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError
+      raise Errors::InvalidLoginToken,
+            "Failed to load a Login token for login session #{@login_session}. Please reauthenticate."
+    end
+
+    def login_cache_file
+      directory = ENV['AWS_LOGIN_CACHE_DIRECTORY'] || File.join(Dir.home, '.aws', 'login', 'cache')
+      login_session_sha = OpenSSL::Digest::SHA256.hexdigest(@login_session.strip.encode('utf-8'))
+      File.join(directory, "#{login_session_sha}.json")
+    end
+
+    def validate_cached_token(cached_token)
+      required_cached_token_fields = %w[accessToken clientId refreshToken dpopKey]
+      missing_fields = required_cached_token_fields.reject { |field| cached_token[field] }
+      unless missing_fields.empty?
+        raise ArgumentError, "Cached login token is missing required field(s): #{missing_fields}. " \
+          'Please reauthenticate.'
+      end
+
+      access_token = cached_token['accessToken']
+      required_access_token_fields = %w[accessKeyId secretAccessKey sessionToken accountId expiresAt]
+      missing_fields = required_access_token_fields.reject { |field| access_token[field] }
+
+      return if missing_fields.empty?
+
+      raise ArgumentError, "Access token in cached login token is missing required field(s): #{missing_fields}. " \
+        'Please reauthenticate.'
+    end
+
+    def update_creds(access_token)
+      @credentials = Credentials.new(
+        access_token['accessKeyId'],
+        access_token['secretAccessKey'],
+        access_token['sessionToken'],
+        account_id: access_token['accountId']
+      )
+      @expiration = Time.parse(access_token['expiresAt'])
+    end
+
+    def attempt_refresh(token_json)
+      resp = make_request(token_json)
+      parse_resp(resp.token_output, token_json)
+      update_creds(token_json['accessToken'])
+      update_token_cache(token_json)
+    rescue Signin::Errors::AccessDeniedException => e
+      case e.error
+      when 'TOKEN_EXPIRED'
+        warn 'Your session has expired. Please reauthenticate.'
+      when 'USER_CREDENTIALS_CHANGED'
+        warn 'Unable to refresh credentials because of a change in your password. ' \
+          'Please reauthenticate with your new password.'
+      when 'INSUFFICIENT_PERMISSIONS'
+        warn 'Unable to refresh credentials due to insufficient permissions. ' \
+          'You may be missing permission for the `CreateOAuth2Token` action.'
+      end
+    rescue StandardError => e
+      warn("Failed to refresh Login token for LoginCredentials: #{e.message}")
+    end
+
+    def make_request(token_json)
+      options = {
+        token_input: {
+          client_id: token_json['clientId'],
+          grant_type: 'refresh_token',
+          refresh_token: token_json['refreshToken']
+        }
+      }
+      req = @client.build_request(:create_o_auth_2_token, options)
+      endpoint_params = Aws::Signin::EndpointParameters.create(req.context.config)
+      endpoint = req.context.config.endpoint_provider.resolve_endpoint(endpoint_params)
+      endpoint = URI.join(endpoint.url, @client.config.api.operation(:create_o_auth_2_token).http_request_uri).to_s
+      req.context.http_request.headers['DPoP'] = dpop_proof(token_json['dpopKey'], endpoint)
+      req.send_request
+    end
+
+    def dpop_proof(dpop_key, endpoint)
+      # Load private key from cached token file
+      private_key = OpenSSL::PKey.read(dpop_key)
+      public_key = private_key.public_key.to_octet_string(:uncompressed)
+
+      # Construct header and payload
+      header = build_header(public_key[1, 32], public_key[33, 32])
+      payload = build_payload(endpoint)
+
+      # Base64URL encode header and payload, sign message using private key, and create header
+      message = build_message(header, payload)
+      signature = private_key.sign(OpenSSL::Digest.new('SHA256'), message)
+      jws_signature = der_to_jws(signature)
+      "#{message}.#{Base64.urlsafe_encode64(jws_signature, padding: false)}"
+    end
+
+    def build_header(x_bytes, y_bytes)
+      {
+        'alg' => 'ES256', # signing algorithm
+        'jwk' => {
+          'crv' => 'P-256', # curve name
+          'kty' => 'EC', # key type
+          'x' => Base64.urlsafe_encode64(x_bytes, padding: false), # public x coordinate
+          'y' => Base64.urlsafe_encode64(y_bytes, padding: false) # public y coordinate
+        },
+        'typ' => 'dpop+jwt' # hardcoded
+      }
+    end
+
+    def build_payload(htu)
+      {
+        'jti' => SecureRandom.uuid, # unique identifier (UUID4)
+        'htm' => @client.config.api.operation(:create_o_auth_2_token).http_method, # POST
+        'htu' => htu, # endpoint of the CreateOAuth2Token operation, with path
+        'iat' => Time.now.utc.to_i # UTC timestamp, specified number of seconds from 1970-01-01T00:00:00Z UTC
+      }
+    end
+
+    def build_message(header, payload)
+      encoded_header = Base64.urlsafe_encode64(JSON.dump(header), padding: false)
+      encoded_payload = Base64.urlsafe_encode64(JSON.dump(payload), padding: false)
+      "#{encoded_header}.#{encoded_payload}"
+    end
+
+    # Converts DER-encoded ASN.1 signature to JWS
+    def der_to_jws(der_signature)
+      asn1 = OpenSSL::ASN1.decode(der_signature)
+      r = asn1.value[0].value
+      s = asn1.value[1].value
+
+      r_hex = r.to_s(16).rjust(64, '0')
+      s_hex = s.to_s(16).rjust(64, '0')
+
+      [r_hex + s_hex].pack('H*')
+    end
+
+    def parse_resp(resp, token_json)
+      access_token = token_json['accessToken']
+      access_token.merge!(
+        'accessKeyId' => resp.access_token.access_key_id,
+        'secretAccessKey' => resp.access_token.secret_access_key,
+        'sessionToken' => resp.access_token.session_token,
+        'expiresAt' => (Time.now.utc + resp.expires_in).to_datetime.rfc3339
+      )
+      token_json['refreshToken'] = resp.refresh_token
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      # File.write is not atomic so use temp file and move
+      temp_file = Tempfile.new('temp_file')
+      begin
+        temp_file.write(Json.dump(cached_token))
+        temp_file.close
+        FileUtils.mv(temp_file.path, login_cache_file)
+      ensure
+        temp_file.unlink if File.exist?(temp_file.path) # Ensure temp file is cleaned up
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/checksum_algorithm.rb

@@ -190,7 +190,6 @@ module Aws
               name: "x-amz-checksum-#{algorithm.downcase}",
               request_algorithm_header: request_algorithm_header(context)
             }
-
             context[:http_checksum][:request_algorithm] = request_algorithm
             calculate_request_checksum(context, request_algorithm)
           end
@@ -249,6 +248,7 @@ module Aws
           return unless context.operation.http_checksum
 
           input_member = context.operation.http_checksum['requestAlgorithmMember']
+
           context.params[input_member.to_sym] ||= DEFAULT_CHECKSUM if input_member
         end
 
@@ -271,25 +271,39 @@ module Aws
           context.operation.http_checksum['responseAlgorithms']
         end
 
-        def checksum_required?(context)
-          (http_checksum = context.operation.http_checksum) &&
-            (checksum_required = http_checksum['requestChecksumRequired']) &&
-            (checksum_required && context.config.request_checksum_calculation == 'when_required')
-        end
-
-        def checksum_optional?(context)
-          context.operation.http_checksum &&
-            context.config.request_checksum_calculation != 'when_required'
-        end
-
         def checksum_provided_as_header?(headers)
           headers.any? { |k, _| k.start_with?('x-amz-checksum-') }
         end
 
+        # Determines whether a request checksum should be calculated.
+        # 1. **No existing checksum in header**: Skips if checksum header already present
+        # 2. **Operation support**: Considers model, client configuration and user input.
         def should_calculate_request_checksum?(context)
           !checksum_provided_as_header?(context.http_request.headers) &&
-            request_algorithm_selection(context) &&
-            (checksum_required?(context) || checksum_optional?(context))
+            checksum_applicable?(context)
+        end
+
+        # Checks if checksum calculation should proceed based on operation requirements and client settings.
+        # Returns true when any of these conditions are met:
+        # 1. http checksum's requestChecksumRequired is true
+        # 2. Config for request_checksum_calculation is "when_supported"
+        # 3. Config for request_checksum_calculation is "when_required" AND user provided checksum algorithm
+        def checksum_applicable?(context)
+          http_checksum = context.operation.http_checksum
+          return false unless http_checksum
+
+          return true if http_checksum['requestChecksumRequired']
+
+          return false unless (algorithm_member = http_checksum['requestAlgorithmMember'])
+
+          case context.config.request_checksum_calculation
+          when 'when_supported'
+            true
+          when 'when_required'
+            !context.params[algorithm_member.to_sym].nil?
+          else
+            false
+          end
         end
 
         def choose_request_algorithm!(context)

data/lib/aws-sdk-core/plugins/credentials_configuration.rb

@@ -14,64 +14,68 @@ module Aws
 
       option(:account_id, doc_type: String, docstring: '')
 
-      option(:profile,
+      option(
+        :profile,
         doc_default: 'default',
         doc_type: String,
-        docstring: <<-DOCS)
-Used when loading credentials from the shared credentials file
-at HOME/.aws/credentials.  When not specified, 'default' is used.
+        docstring: <<~DOCS)
+          Used when loading credentials from the shared credentials file at `HOME/.aws/credentials`.
+          When not specified, 'default' is used.
         DOCS
 
-      option(:credentials,
+      option(
+        :credentials,
         required: true,
         doc_type: 'Aws::CredentialProvider',
         rbs_type: 'untyped',
-        docstring: <<-DOCS
-Your AWS credentials. This can be an instance of any one of the
-following classes:
+        docstring: <<~DOCS
+          Your AWS credentials used for authentication. This can be any class that includes and implements
+          `Aws::CredentialProvider`, or instance of any one of the following classes:
 
-* `Aws::Credentials` - Used for configuring static, non-refreshing
-  credentials.
+          * `Aws::Credentials` - Used for configuring static, non-refreshing
+            credentials.
 
-* `Aws::SharedCredentials` - Used for loading static credentials from a
-  shared file, such as `~/.aws/config`.
+          * `Aws::SharedCredentials` - Used for loading static credentials from a
+            shared file, such as `~/.aws/config`.
 
-* `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
+          * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
 
-* `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
-  assume a role after providing credentials via the web.
+          * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to
+            assume a role after providing credentials via the web.
 
-* `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
-  access token generated from `aws login`.
+          * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an
+            access token generated from `aws login`.
 
-* `Aws::ProcessCredentials` - Used for loading credentials from a
-  process that outputs to stdout.
+          * `Aws::ProcessCredentials` - Used for loading credentials from a
+            process that outputs to stdout.
 
-* `Aws::InstanceProfileCredentials` - Used for loading credentials
-  from an EC2 IMDS on an EC2 instance.
+          * `Aws::InstanceProfileCredentials` - Used for loading credentials
+            from an EC2 IMDS on an EC2 instance.
 
-* `Aws::ECSCredentials` - Used for loading credentials from
-  instances running in ECS.
+          * `Aws::ECSCredentials` - Used for loading credentials from
+            instances running in ECS.
 
-* `Aws::CognitoIdentityCredentials` - Used for loading credentials
-  from the Cognito Identity service.
+          * `Aws::CognitoIdentityCredentials` - Used for loading credentials
+            from the Cognito Identity service.
 
-When `:credentials` are not configured directly, the following
-locations will be searched for credentials:
+          When `:credentials` are not configured directly, the following locations will be searched for credentials:
 
-* `Aws.config[:credentials]`
-* The `:access_key_id`, `:secret_access_key`, `:session_token`, and
-  `:account_id` options.
-* ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'],
-  ENV['AWS_SESSION_TOKEN'], and ENV['AWS_ACCOUNT_ID']
-* `~/.aws/credentials`
-* `~/.aws/config`
-* EC2/ECS IMDS instance profile - When used by default, the timeouts
-  are very aggressive. Construct and pass an instance of
-  `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
-  enable retries and extended timeouts. Instance profile credential
-  fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
-  to true.
+          * `Aws.config[:credentials]`
+
+          * The `:access_key_id`, `:secret_access_key`, `:session_token`, and
+            `:account_id` options.
+
+          * `ENV['AWS_ACCESS_KEY_ID']`, `ENV['AWS_SECRET_ACCESS_KEY']`,
+            `ENV['AWS_SESSION_TOKEN']`, and `ENV['AWS_ACCOUNT_ID']`.
+
+          * `~/.aws/credentials`
+
+          * `~/.aws/config`
+
+          * EC2/ECS IMDS instance profile - When used by default, the timeouts are very aggressive.
+            Construct and pass an instance of `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to
+            enable retries and extended timeouts. Instance profile credential fetching can be disabled by
+            setting `ENV['AWS_EC2_METADATA_DISABLED']` to `true`.
         DOCS
       ) do |config|
         CredentialProviderChain.new(config).resolve
@@ -81,31 +85,43 @@ locations will be searched for credentials:
 
       option(:instance_profile_credentials_timeout, 1)
 
-      option(:token_provider,
-             required: false,
-             doc_type: 'Aws::TokenProvider',
-             rbs_type: 'untyped',
-             docstring: <<-DOCS
-A Bearer Token Provider. This can be an instance of any one of the
-following classes:
+      option(
+        :token_provider,
+        doc_type: 'Aws::TokenProvider',
+        rbs_type: 'untyped',
+        docstring: <<~DOCS
+          Your Bearer token used for authentication. This can be any class that includes and implements
+          `Aws::TokenProvider`, or instance of any one of the following classes:
 
-* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
-  tokens.
+          * `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+            tokens.
 
-* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
-  access token generated from `aws login`.
+          * `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+            access token generated from `aws login`.
 
-When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
-will be used to search for tokens configured for your profile in shared configuration files.
-      DOCS
+          When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+          will be used to search for tokens configured for your profile in shared configuration files.
+        DOCS
       ) do |config|
-        if config.stub_responses
-          StaticTokenProvider.new('token')
-        else
-          TokenProviderChain.new(config).resolve
-        end
+        TokenProviderChain.new(config).resolve
       end
 
+      option(
+        :auth_scheme_preference,
+        doc_type: 'Array<String>',
+        rbs_type: 'Array[String]',
+        docstring: <<~DOCS
+          A list of preferred authentication schemes to use when making a request. Supported values are:
+          `sigv4`, `sigv4a`, `httpBearerAuth`, and `noAuth`. When set using `ENV['AWS_AUTH_SCHEME_PREFERENCE']` or in
+          shared config as `auth_scheme_preference`, the value should be a comma-separated list.
+        DOCS
+      ) do |config|
+        value =
+          ENV['AWS_AUTH_SCHEME_PREFERENCE'] ||
+          Aws.shared_config.auth_scheme_preference(profile: config.profile) ||
+          ''
+        value.gsub(' ', '').gsub("\t", '').split(',')
+      end
     end
   end
 end

data/lib/aws-sdk-core/plugins/sign.rb

@@ -13,9 +13,6 @@ module Aws
       option(:sigv4_region)
       option(:unsigned_operations, default: [])
 
-      supported_auth_types = %w[sigv4 bearer sigv4-s3express sigv4a none]
-      SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
-
       def add_handlers(handlers, cfg)
         operations = cfg.api.operation_names - cfg.unsigned_operations
         handlers.add(Handler, step: :sign, operations: operations)
@@ -32,7 +29,7 @@ module Aws
           }
           SignatureV4.new(auth_scheme, config, sigv4_overrides)
         when 'bearer'
-          Bearer.new
+          Bearer.new(config)
         else
           NullSigner.new
         end
@@ -41,7 +38,6 @@ module Aws
       class Handler < Seahorse::Client::Handler
         def call(context)
           # Skip signing if using sigv2 signing from s3_signer in S3
-          credentials = nil
           unless v2_signing?(context.config)
             signer = Sign.signer_for(
               context[:auth_scheme],
@@ -49,18 +45,22 @@ module Aws
               context[:sigv4_region],
               context[:sigv4_credentials]
             )
-            credentials = signer.credentials if signer.is_a?(SignatureV4)
             signer.sign(context)
           end
-          with_metrics(credentials) { @handler.call(context) }
+          with_metrics(signer) { @handler.call(context) }
         end
 
         private
 
-        def with_metrics(credentials, &block)
-          return block.call unless credentials&.respond_to?(:metrics)
-
-          Aws::Plugins::UserAgent.metric(*credentials.metrics, &block)
+        def with_metrics(signer, &block)
+          case signer
+          when SignatureV4
+            Aws::Plugins::UserAgent.metric(*signer.credentials.metrics, &block)
+          when Bearer
+            Aws::Plugins::UserAgent.metric(*signer.token_provider.metrics, &block)
+          else
+            block.call
+          end
         end
 
         def v2_signing?(config)
@@ -72,21 +72,19 @@ module Aws
 
       # @api private
       class Bearer
-        def initialize
+        def initialize(config)
+          @token_provider = config.token_provider
         end
 
+        attr_reader :token_provider
+
         def sign(context)
           if context.http_request.endpoint.scheme != 'https'
-            raise ArgumentError,
-                  'Unable to use bearer authorization on non https endpoint.'
+            raise ArgumentError, 'Unable to use bearer authorization on non https endpoint.'
           end
+          raise Errors::MissingBearerTokenError unless @token_provider && @token_provider.set?
 
-          token_provider = context.config.token_provider
-
-          raise Errors::MissingBearerTokenError unless token_provider&.set?
-
-          context.http_request.headers['Authorization'] =
-            "Bearer #{token_provider.token.token}"
+          context.http_request.headers['Authorization'] = "Bearer #{@token_provider.token.token}"
         end
 
         def presign_url(*args)
@@ -100,16 +98,11 @@ module Aws
 
       # @api private
       class SignatureV4
-        attr_reader :signer
-
         def initialize(auth_scheme, config, sigv4_overrides = {})
           scheme_name = auth_scheme['name']
-
           unless %w[sigv4 sigv4a sigv4-s3express].include?(scheme_name)
-            raise ArgumentError,
-                  "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
+            raise ArgumentError, "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
           end
-
           region = if scheme_name == 'sigv4a'
                      auth_scheme['signingRegionSet'].join(',')
                    else
@@ -121,8 +114,8 @@ module Aws
               region: sigv4_overrides[:region] || config.sigv4_region || region,
               credentials_provider: sigv4_overrides[:credentials] || config.credentials,
               signing_algorithm: scheme_name.to_sym,
-              uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
-              normalize_path: !!!auth_scheme['disableNormalizePath'],
+              uri_escape_path: !auth_scheme['disableDoubleEncoding'],
+              normalize_path: !auth_scheme['disableNormalizePath'],
               unsigned_headers: %w[content-length user-agent x-amzn-trace-id expect transfer-encoding connection]
             )
           rescue Aws::Sigv4::Errors::MissingCredentialsError
@@ -130,6 +123,8 @@ module Aws
           end
         end
 
+        attr_reader :signer
+
         def sign(context)
           req = context.http_request
 

data/lib/aws-sdk-core/plugins/stub_responses.rb

@@ -29,6 +29,12 @@ requests are made, and retries are disabled.
         end
       end
 
+      option(:token_provider) do |config|
+        if config.stub_responses
+          StaticTokenProvider.new('stubbed-token')
+        end
+      end
+
       option(:stubs) { {} }
       option(:stubs_mutex) { Mutex.new }
       option(:api_requests) { [] }

data/lib/aws-sdk-core/plugins/user_agent.rb

@@ -54,7 +54,10 @@ module Aws
           "CREDENTIALS_HTTP" : "z",
           "CREDENTIALS_IMDS" : "0",
           "SSO_LOGIN_DEVICE" : "1",
-          "SSO_LOGIN_AUTH" : "2"
+          "SSO_LOGIN_AUTH" : "2",
+          "BEARER_SERVICE_ENV_VARS": "3",
+          "CREDENTIALS_PROFILE_LOGIN": "AC",
+          "CREDENTIALS_LOGIN": "AD"
         }
       METRICS
 

data/lib/aws-sdk-core/refreshing_credentials.rb

@@ -1,28 +1,26 @@
 # frozen_string_literal: true
 
 module Aws
-
   # Base class used credential classes that can be refreshed. This
   # provides basic refresh logic in a thread-safe manner. Classes mixing in
-  # this module are expected to implement a #refresh method that populates
+  # this module are expected to implement a `#refresh` method that populates
   # the following instance variables:
   #
-  # * `@access_key_id`
-  # * `@secret_access_key`
-  # * `@session_token`
-  # * `@expiration`
+  # * `@credentials` ({Credentials})
+  # * `@expiration` (Time)
   #
-  # @api private
   module RefreshingCredentials
-
     SYNC_EXPIRATION_LENGTH = 300 # 5 minutes
     ASYNC_EXPIRATION_LENGTH = 600 # 10 minutes
 
     CLIENT_EXCLUDE_OPTIONS = Set.new([:before_refresh]).freeze
 
+    # @param [Hash] options
+    # @option options [Proc] :before_refresh A Proc called before credentials are refreshed.
+    #   It accepts `self` as the only argument.
     def initialize(options = {})
       @mutex = Mutex.new
-      @before_refresh = options.delete(:before_refresh) if Hash === options
+      @before_refresh = options.delete(:before_refresh) if options.is_a?(Hash)
 
       @before_refresh.call(self) if @before_refresh
       refresh
@@ -59,7 +57,7 @@ module Aws
     # Otherwise, if we're approaching expiration, use the existing credentials
     # but attempt a refresh in the background.
     def refresh_if_near_expiration!
-      # Note: This check is an optimization. Rather than acquire the mutex on every #refresh_if_near_expiration
+      # NOTE: This check is an optimization. Rather than acquire the mutex on every #refresh_if_near_expiration
       # call, we check before doing so, and then we check within the mutex to avoid a race condition.
       # See issue: https://github.com/aws/aws-sdk-ruby/issues/2641 for more info.
       if near_expiration?(sync_expiration_length)
@@ -91,6 +89,5 @@ module Aws
         true
       end
     end
-
   end
 end