aws-sdk-core 3.226.1 → 3.227.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e2ca0fbdedab1c093c716160e76303794d1546fb910732e7399158149393379d
-  data.tar.gz: 80287b842e9382353bb5c5093495299d8bfefaa4c1ca41227e34eeb2cb0ee592
+  metadata.gz: aa0cf0c6bd904859d63bf83c9caf8694b64dc83f3a028c5d4eeac6cd7834be7f
+  data.tar.gz: 1ebd41513f215df4a76ffd6999f6a0850446ddd76c27e407cda2aeec94ee0a11
 SHA512:
-  metadata.gz: 95520dcd178c17ffee6588d5c840dcab71184746d1b3b9262de70a43a9fb2fb43ba0e773c6d4dcf08cdc0fc7639b407a644050e002edf34dc288077577e2577a
-  data.tar.gz: 963666144b4c5f8f9826a667060e371b73772fa3fae57066cbcac775bc8a56a6e12350984bce5241a90e53d8e29f95e6be78b472c53a319af6b56b15a51f3bc3
+  metadata.gz: 73e737ea3ea9ad6a2842c849c95b160fc2fe2bb3ed93b032248203cea51fb0d6809ec7f155571ccdc713051f55c818b6f4d4874e1559d8d68554d08cff5765e4
+  data.tar.gz: f8759e719562f8b1cc1f892acc206312d34741bfaa08773da1e9e1c248bc5a267e27cb9e8c5881a3413a358812c529385e6040b4b85f9df98310409b4a314fd3

data/CHANGELOG.md

@@ -1,6 +1,31 @@
 Unreleased Changes
 ------------------
 
+3.227.0 (2025-07-21)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Support an auth scheme signing preference list using `ENV['AWS_AUTH_SCHEME_PREFERENCE']` or `auth_scheme_preference` in shared configuration.
+
+* Feature - Support metric tracking for Bedrock Bearer tokens.
+
+3.226.3 (2025-07-17)
+------------------
+
+* Issue - Skip `Aws::InstanceProfileCredentials` instantiation when `ENV['AWS_EC2_METADATA_DISABLED']` is set to `true` in the credential resolution chain.
+
+* Issue - Refactor `InstanceProfileCredentials` to improve code clarity and documentation. 
+
+3.226.2 (2025-07-01)
+------------------
+
+* Issue - Document incorrect behavior in protocol error parsing (specifically around query and query compatible services).
+
 3.226.1 (2025-06-24)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.226.1
+3.227.0

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -191,7 +191,7 @@ module Aws
       if ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] ||
          ENV['AWS_CONTAINER_CREDENTIALS_FULL_URI']
         ECSCredentials.new(options)
-      else
+      elsif !(ENV.fetch('AWS_EC2_METADATA_DISABLED', 'false').downcase == 'true')
         InstanceProfileCredentials.new(options.merge(profile: profile_name))
       end
     end

data/lib/aws-sdk-core/endpoints.rb

@@ -19,19 +19,28 @@ require 'aws-sigv4'
 module Aws
   # @api private
   module Endpoints
-    SUPPORTED_AUTH_TRAITS = %w[
-      aws.auth#sigv4
-      aws.auth#sigv4a
-      smithy.api#httpBearerAuth
-      smithy.api#noAuth
-    ].freeze
+    # Maps config auth scheme preferences to endpoint auth scheme names.
+    ENDPOINT_AUTH_PREFERENCE_MAP = {
+      'sigv4' => %w[sigv4 sigv4-s3express],
+      'sigv4a' => ['sigv4a'],
+      'httpBearerAuth' => ['bearer'],
+      'noAuth' => ['none']
+    }.freeze
+    SUPPORTED_ENDPOINT_AUTH = ENDPOINT_AUTH_PREFERENCE_MAP.values.flatten.freeze
+
+    # Maps configured auth scheme preferences to modeled auth traits.
+    MODELED_AUTH_PREFERENCE_MAP = {
+      'sigv4' => 'aws.auth#sigv4',
+      'sigv4a' => 'aws.auth#sigv4a',
+      'httpBearerAuth' => 'smithy.api#httpBearerAuth',
+      'noAuth' => 'smithy.api#noAuth'
+    }.freeze
+    SUPPORTED_MODELED_AUTH = MODELED_AUTH_PREFERENCE_MAP.values.freeze
 
     class << self
       def resolve_auth_scheme(context, endpoint)
         if endpoint && (auth_schemes = endpoint.properties['authSchemes'])
-          auth_scheme = auth_schemes.find do |scheme|
-            Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES.include?(scheme['name'])
-          end
+          auth_scheme = endpoint_auth_scheme_preference(auth_schemes, context.config.auth_scheme_preference)
           raise 'No supported auth scheme for this endpoint.' unless auth_scheme
 
           merge_signing_defaults(auth_scheme, context.config)
@@ -42,6 +51,16 @@ module Aws
 
       private
 
+      def endpoint_auth_scheme_preference(auth_schemes, preferred_auth)
+        ordered_auth = preferred_auth.each_with_object([]) do |pref, list|
+          next unless ENDPOINT_AUTH_PREFERENCE_MAP.key?(pref)
+
+          ENDPOINT_AUTH_PREFERENCE_MAP[pref].each { |name| list << { 'name' => name } }
+        end
+        ordered_auth += auth_schemes
+        ordered_auth.find { |auth| SUPPORTED_ENDPOINT_AUTH.include?(auth['name']) }
+      end
+
       def merge_signing_defaults(auth_scheme, config)
         if %w[sigv4 sigv4a sigv4-s3express].include?(auth_scheme['name'])
           auth_scheme['signingName'] ||= sigv4_name(config)
@@ -64,13 +83,12 @@ module Aws
       end
 
       def sigv4_name(config)
-        config.api.metadata['signingName'] ||
-          config.api.metadata['endpointPrefix']
+        config.api.metadata['signingName'] || config.api.metadata['endpointPrefix']
       end
 
       def default_auth_scheme(context)
-        if (auth_list = default_api_auth(context))
-          auth = auth_list.find { |a| SUPPORTED_AUTH_TRAITS.include?(a) }
+        if (modeled_auth = default_api_auth(context))
+          auth = modeled_auth_scheme_preference(modeled_auth, context.config.auth_scheme_preference)
           case auth
           when 'aws.auth#sigv4', 'aws.auth#sigv4a'
             auth_scheme = { 'name' => auth.split('#').last }
@@ -93,6 +111,12 @@ module Aws
         end
       end
 
+      def modeled_auth_scheme_preference(modeled_auth, preferred_auth)
+        ordered_auth = preferred_auth.map { |pref| MODELED_AUTH_PREFERENCE_MAP[pref] }.compact
+        ordered_auth += modeled_auth
+        ordered_auth.find { |auth| SUPPORTED_MODELED_AUTH.include?(auth) }
+      end
+
       def default_api_auth(context)
         context.config.api.operation(context.operation_name)['auth'] ||
           context.config.api.metadata['auth']

data/lib/aws-sdk-core/error_handler.rb

@@ -1,12 +1,17 @@
 # frozen_string_literal: true
 
 module Aws
+  # @api private
   class ErrorHandler < Seahorse::Client::Handler
 
     private
 
     def error(context)
       body = context.http_response.body_contents
+      # This is not correct per protocol tests. Some headers will determine the error code.
+      # If the body is empty, there is still potentially an error code from the header, but
+      # we are making a generic http status error instead. In a new major version, we should
+      # always try to extract header, and during extraction, check headers and body.
       if body.empty?
         code, message, data = http_status_error(context)
       else

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -4,11 +4,23 @@ require 'time'
 require 'net/http'
 
 module Aws
-  # An auto-refreshing credential provider that loads credentials from
-  # EC2 instances.
+  # An auto-refreshing credential provider that loads credentials from EC2 instances.
   #
   #     instance_credentials = Aws::InstanceProfileCredentials.new
   #     ec2 = Aws::EC2::Client.new(credentials: instance_credentials)
+  #
+  # ## Retries
+  # When initialized from the default credential chain, this provider defaults to `0` retries.
+  # Breakdown of retries is as follows:
+  #
+  #  * **Configurable retries** (defaults to `1`): these retries handle errors when communicating
+  #     with the IMDS endpoint. There are two separate retry mechanisms within the provider:
+  #       * Entire token fetch and credential retrieval process
+  #       * Token fetching
+  #  * **JSON parsing retries**: Fixed at 3 attempts to handle cases when IMDS returns malformed JSON
+  #     responses. These retries are separate from configurable retries.
+  #
+  # @see https://docs.aws.amazon.com/sdkref/latest/guide/feature-imds-credentials.html IMDS Credential Provider
   class InstanceProfileCredentials
     include CredentialProvider
     include RefreshingCredentials
@@ -22,10 +34,8 @@ module Aws
     # @api private
     class TokenExpiredError < RuntimeError; end
 
-    # These are the errors we trap when attempting to talk to the
-    # instance metadata service.  Any of these imply the service
-    # is not present, no responding or some other non-recoverable
-    # error.
+    # These are the errors we trap when attempting to talk to the instance metadata service.
+    # Any of these imply the service is not present, no responding or some other non-recoverable error.
     # @api private
     NETWORK_ERRORS = [
       Errno::EHOSTUNREACH,
@@ -46,100 +56,113 @@ module Aws
     METADATA_TOKEN_PATH = '/latest/api/token'.freeze
 
     # @param [Hash] options
-    # @option options [Integer] :retries (1) Number of times to retry
-    #   when retrieving credentials.
-    # @option options [String] :endpoint ('http://169.254.169.254') The IMDS
-    #   endpoint. This option has precedence over the :endpoint_mode.
-    # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for
-    #   the instance metadata service. This is either 'IPv4' ('169.254.169.254')
-    #   or 'IPv6' ('[fd00:ec2::254]').
-    # @option options [Boolean] :disable_imds_v1 (false) Disable the use of the
-    #  legacy EC2 Metadata Service v1.
-    # @option options [String] :ip_address ('169.254.169.254') Deprecated. Use
-    #   :endpoint instead. The IP address for the endpoint.
+    # @option options [Integer] :retries (1) Number of times to retry when retrieving credentials.
+    # @option options [String] :endpoint ('http://169.254.169.254') The IMDS endpoint. This option has precedence
+    #    over the `:endpoint_mode`.
+    # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for the instance metadata service. This is
+    #   either 'IPv4' (`169.254.169.254`) or IPv6' (`[fd00:ec2::254]`).
+    # @option options [Boolean] :disable_imds_v1 (false) Disable the use of the legacy EC2 Metadata Service v1.
+    # @option options [String] :ip_address ('169.254.169.254') Deprecated. Use `:endpoint` instead.
+    #   The IP address for the endpoint.
     # @option options [Integer] :port (80)
     # @option options [Float] :http_open_timeout (1)
     # @option options [Float] :http_read_timeout (1)
-    # @option options [Numeric, Proc] :delay By default, failures are retried
-    #   with exponential back-off, i.e. `sleep(1.2 ** num_failures)`. You can
-    #   pass a number of seconds to sleep between failed attempts, or
-    #   a Proc that accepts the number of failures.
-    # @option options [IO] :http_debug_output (nil) HTTP wire
-    #   traces are sent to this object.  You can specify something
-    #   like $stdout.
-    # @option options [Integer] :token_ttl Time-to-Live in seconds for EC2
-    #   Metadata Token used for fetching Metadata Profile Credentials, defaults
-    #   to 21600 seconds
-    # @option options [Callable] before_refresh Proc called before
-    #   credentials are refreshed. `before_refresh` is called
-    #   with an instance of this object when
-    #   AWS credentials are required and need to be refreshed.
+    # @option options [Numeric, Proc] :delay By default, failures are retried with exponential back-off, i.e.
+    #   `sleep(1.2 ** num_failures)`. You can pass a number of seconds to sleep between failed attempts, or a Proc
+    #   that accepts the number of failures.
+    # @option options [IO] :http_debug_output (nil) HTTP wire traces are sent to this object.
+    #   You can specify something like `$stdout`.
+    # @option options [Integer] :token_ttl Time-to-Live in seconds for EC2 Metadata Token used for fetching
+    #   Metadata Profile Credentials, defaults to 21600 seconds.
+    # @option options [Callable] :before_refresh Proc called before credentials are refreshed. `before_refresh`
+    #   is called with an instance of this object when AWS credentials are required and need to be refreshed.
     def initialize(options = {})
-      @retries = options[:retries] || 1
-      endpoint_mode = resolve_endpoint_mode(options)
-      @endpoint = resolve_endpoint(options, endpoint_mode)
-      @port = options[:port] || 80
+      @backoff = resolve_backoff(options[:backoff])
       @disable_imds_v1 = resolve_disable_v1(options)
-      # Flag for if v2 flow fails, skip future attempts
-      @imds_v1_fallback = false
+      @endpoint = resolve_endpoint(options)
       @http_open_timeout = options[:http_open_timeout] || 1
       @http_read_timeout = options[:http_read_timeout] || 1
       @http_debug_output = options[:http_debug_output]
-      @backoff = backoff(options[:backoff])
+      @port = options[:port] || 80
+      @retries = options[:retries] || 1
       @token_ttl = options[:token_ttl] || 21_600
-      @token = nil
-      @no_refresh_until = nil
+
       @async_refresh = false
+      @imds_v1_fallback = false
+      @no_refresh_until = nil
+      @token = nil
       @metrics = ['CREDENTIALS_IMDS']
       super
     end
 
-    # @return [Integer] Number of times to retry when retrieving credentials
-    #   from the instance metadata service. Defaults to 0 when resolving from
-    #   the default credential chain ({Aws::CredentialProviderChain}).
+    # @return [Boolean0
+    attr_reader :disable_imds_v1
+
+    # @return [Integer]
+    attr_reader :token_ttl
+
+    # @return [Integer]
     attr_reader :retries
 
+    # @return [Proc]
+    attr_reader :backoff
+
+    # @return [String]
+    attr_reader :endpoint
+
+    # @return [Integer]
+    attr_reader :port
+
+    # @return [Integer]
+    attr_reader :http_open_timeout
+
+    # @return [Integer]
+    attr_reader :http_read_timeout
+
+    # @return [IO, nil]
+    attr_reader :http_debug_output
+
     private
 
     def resolve_endpoint_mode(options)
-      value = options[:endpoint_mode]
-      value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE']
-      value ||= Aws.shared_config.ec2_metadata_service_endpoint_mode(
-        profile: options[:profile]
-      )
-      value || 'IPv4'
+      options[:endpoint_mode] ||
+        ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE'] ||
+        Aws.shared_config.ec2_metadata_service_endpoint_mode(profile: options[:profile]) ||
+        'IPv4'
     end
 
-    def resolve_endpoint(options, endpoint_mode)
-      value = options[:endpoint] || options[:ip_address]
-      value ||= ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT']
-      value ||= Aws.shared_config.ec2_metadata_service_endpoint(
-        profile: options[:profile]
-      )
+    def resolve_endpoint(options)
+      if (value = options[:ip_address])
+        warn('The `:ip_address` option is deprecated. Use `:endpoint` instead.')
+        return value
+      end
 
+      value =
+        options[:endpoint] ||
+        ENV['AWS_EC2_METADATA_SERVICE_ENDPOINT'] ||
+        Aws.shared_config.ec2_metadata_service_endpoint(profile: options[:profile]) ||
+        nil
       return value if value
 
+      endpoint_mode = resolve_endpoint_mode(options)
       case endpoint_mode.downcase
       when 'ipv4' then 'http://169.254.169.254'
       when 'ipv6' then 'http://[fd00:ec2::254]'
       else
-        raise ArgumentError,
-              ':endpoint_mode is not valid, expected IPv4 or IPv6, '\
-              "got: #{endpoint_mode}"
+        raise ArgumentError, ":endpoint_mode is not valid, expected IPv4 or IPv6, got: #{endpoint_mode}"
       end
     end
 
     def resolve_disable_v1(options)
-      value = options[:disable_imds_v1]
-      value ||= ENV['AWS_EC2_METADATA_V1_DISABLED']
-      value ||= Aws.shared_config.ec2_metadata_v1_disabled(
-        profile: options[:profile]
-      )
-      value = value.to_s.downcase if value
-      Aws::Util.str_2_bool(value) || false
+      value =
+        options[:disable_imds_v1] ||
+        ENV['AWS_EC2_METADATA_V1_DISABLED'] ||
+        Aws.shared_config.ec2_metadata_v1_disabled(profile: options[:profile]) ||
+        'false'
+      Aws::Util.str_2_bool(value.to_s.downcase)
     end
 
-    def backoff(backoff)
+    def resolve_backoff(backoff)
       case backoff
       when Proc then backoff
       when Numeric then ->(_) { sleep(backoff) }
@@ -153,98 +176,74 @@ module Aws
         return
       end
 
-      # Retry loading credentials up to 3 times is the instance metadata
-      # service is responding but is returning invalid JSON documents
-      # in response to the GET profile credentials call.
-      begin
-        retry_errors([Aws::Json::ParseError], max_retries: 3) do
-          c = Aws::Json.load(get_credentials.to_s)
-          if empty_credentials?(@credentials)
-            @credentials = Credentials.new(
-              c['AccessKeyId'],
-              c['SecretAccessKey'],
-              c['Token']
-            )
-            @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
-            if @expiration && @expiration < Time.now
-              @no_refresh_until = Time.now + refresh_offset
-              warn_expired_credentials
-            end
-          else
-            #  credentials are already set, update them only if the new ones are not empty
-            if !c['AccessKeyId'] || c['AccessKeyId'].empty?
-              # error getting new credentials
-              @no_refresh_until = Time.now + refresh_offset
-              warn_expired_credentials
-            else
-              @credentials = Credentials.new(
-                c['AccessKeyId'],
-                c['SecretAccessKey'],
-                c['Token']
-              )
-              @expiration = c['Expiration'] ? Time.iso8601(c['Expiration']) : nil
-              if @expiration && @expiration < Time.now
-                @no_refresh_until = Time.now + refresh_offset
-                warn_expired_credentials
-              end
-            end
+      new_creds =
+        begin
+          # Retry loading credentials up to 3 times is the instance metadata
+          # service is responding but is returning invalid JSON documents
+          # in response to the GET profile credentials call.
+          retry_errors([Aws::Json::ParseError], max_retries: 3) do
+            Aws::Json.load(retrieve_credentials.to_s)
           end
+        rescue Aws::Json::ParseError
+          raise Aws::Errors::MetadataParserError
         end
-      rescue Aws::Json::ParseError
-        raise Aws::Errors::MetadataParserError
+
+      if @credentials&.set? && empty_credentials?(new_creds)
+        # credentials are already set, but there was an error getting new credentials
+        # so don't update the credentials and use stale ones (static stability)
+        @no_refresh_until = Time.now + rand(300..360)
+        warn_expired_credentials
+      else
+        # credentials are empty or successfully retrieved, update them
+        update_credentials(new_creds)
       end
     end
 
-    def get_credentials
+    def retrieve_credentials
       # Retry loading credentials a configurable number of times if
       # the instance metadata service is not responding.
-      if _metadata_disabled?
-        '{}'
-      else
-        begin
-          retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-            open_connection do |conn|
-              # attempt to fetch token to start secure flow first
-              # and rescue to failover
-              fetch_token(conn) unless @imds_v1_fallback
-              token = @token.value if token_set?
-
-              # disable insecure flow if we couldn't get token
-              # and imds v1 is disabled
-              raise TokenRetrivalError if token.nil? && @disable_imds_v1
-
-              _get_credentials(conn, token)
-            end
+      begin
+        retry_errors(NETWORK_ERRORS, max_retries: @retries) do
+          open_connection do |conn|
+            # attempt to fetch token to start secure flow first
+            # and rescue to failover
+            fetch_token(conn) unless @imds_v1_fallback || (@token && !@token.expired?)
+
+            # disable insecure flow if we couldn't get token and imds v1 is disabled
+            raise TokenRetrivalError if @token.nil? && @disable_imds_v1
+
+            fetch_credentials(conn)
           end
-        rescue => e
-          warn("Error retrieving instance profile credentials: #{e}")
-          '{}'
         end
+      rescue StandardError => e
+        warn("Error retrieving instance profile credentials: #{e}")
+        '{}'
       end
     end
 
+    def update_credentials(creds)
+      @credentials = Credentials.new(creds['AccessKeyId'], creds['SecretAccessKey'], creds['Token'])
+      @expiration = creds['Expiration'] ? Time.iso8601(creds['Expiration']) : nil
+      return unless @expiration && @expiration < Time.now
+
+      @no_refresh_until = Time.now + rand(300..360)
+      warn_expired_credentials
+    end
+
     def fetch_token(conn)
-      retry_errors(NETWORK_ERRORS, max_retries: @retries) do
-        unless token_set?
-          created_time = Time.now
-          token_value, ttl = http_put(
-            conn, METADATA_TOKEN_PATH, @token_ttl
-          )
-          @token = Token.new(token_value, ttl, created_time) if token_value && ttl
-        end
-      end
+      created_time = Time.now
+      token_value, ttl = http_put(conn)
+      @token = Token.new(token_value, ttl, created_time) if token_value && ttl
     rescue *NETWORK_ERRORS
       # token attempt failed, reset token
       # fallback to non-token mode
-      @token = nil
       @imds_v1_fallback = true
     end
 
-    # token is optional - if nil, uses v1 (insecure) flow
-    def _get_credentials(conn, token)
-      metadata = http_get(conn, METADATA_PATH_BASE, token)
+    def fetch_credentials(conn)
+      metadata = http_get(conn, METADATA_PATH_BASE)
       profile_name = metadata.lines.first.strip
-      http_get(conn, METADATA_PATH_BASE + profile_name, token)
+      http_get(conn, METADATA_PATH_BASE + profile_name)
     rescue TokenExpiredError
       # Token has expired, reset it
       # The next retry should fetch it
@@ -257,10 +256,6 @@ module Aws
       @token && !@token.expired?
     end
 
-    def _metadata_disabled?
-      ENV.fetch('AWS_EC2_METADATA_DISABLED', 'false').downcase == 'true'
-    end
-
     def open_connection
       uri = URI.parse(@endpoint)
       http = Net::HTTP.new(uri.hostname || @endpoint, uri.port || @port)
@@ -272,9 +267,9 @@ module Aws
     end
 
     # GET request fetch profile and credentials
-    def http_get(connection, path, token = nil)
+    def http_get(connection, path)
       headers = { 'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}" }
-      headers['x-aws-ec2-metadata-token'] = token if token
+      headers['x-aws-ec2-metadata-token'] = @token.value if @token
       response = connection.request(Net::HTTP::Get.new(path, headers))
 
       case response.code.to_i
@@ -288,12 +283,12 @@ module Aws
     end
 
     # PUT request fetch token with ttl
-    def http_put(connection, path, ttl)
+    def http_put(connection)
       headers = {
         'User-Agent' => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
-        'x-aws-ec2-metadata-token-ttl-seconds' => ttl.to_s
+        'x-aws-ec2-metadata-token-ttl-seconds' => @token_ttl.to_s
       }
-      response = connection.request(Net::HTTP::Put.new(path, headers))
+      response = connection.request(Net::HTTP::Put.new(METADATA_TOKEN_PATH, headers))
       case response.code.to_i
       when 200
         [
@@ -322,18 +317,12 @@ module Aws
     end
 
     def warn_expired_credentials
-      warn("Attempting credential expiration extension due to a credential "\
-        "service availability issue. A refresh of these credentials "\
-        "will be attempted again in 5 minutes.")
-    end
-
-    def empty_credentials?(creds)
-      !creds || !creds.access_key_id || creds.access_key_id.empty?
+      warn('Attempting credential expiration extension due to a credential service availability issue. '\
+             'A refresh of these credentials will be attempted again in 5 minutes.')
     end
 
-    # Compute an offset for refresh with jitter
-    def refresh_offset
-      300 + rand(0..60)
+    def empty_credentials?(creds_hash)
+      !creds_hash['AccessKeyId'] || creds_hash['AccessKeyId'].empty?
     end
 
     # @api private

data/lib/aws-sdk-core/json/error_handler.rb

@@ -2,6 +2,7 @@
 
 module Aws
   module Json
+    # @api private
     class ErrorHandler < Aws::ErrorHandler
 
       def call(context)
@@ -24,18 +25,21 @@ module Aws
       end
 
       def error_code(json, context)
+        # This is not correct per protocol tests. awsQueryError is intended to populate the
+        # error code of the error class. The error class should come from __type. Query and
+        # query compatible services currently have dynamic errors raised from error codes instead
+        # of the modeled error class. However, changing this in this major version would break
+        # existing usage.
         code =
           if aws_query_error?(context)
-            query_header = context.http_response.headers['x-amzn-query-error']
-            error, _type = query_header.split(';') # type not supported
-            remove_prefix(error, context)
+            aws_query_error_code(context)
           else
             json['__type']
           end
         code ||= json['code']
         code ||= context.http_response.headers['x-amzn-errortype']
         if code
-          code.split('#').last
+          code.split('#').last.split(':').first
         else
           http_status_error_code(context)
         end
@@ -46,6 +50,12 @@ module Aws
           context.http_response.headers['x-amzn-query-error']
       end
 
+      def aws_query_error_code(context)
+        query_header = context.http_response.headers['x-amzn-query-error']
+        error, _type = query_header.split(';') # type not supported
+        remove_prefix(error, context)
+      end
+
       def remove_prefix(error_code, context)
         if (prefix = context.config.api.metadata['errorPrefix'])
           error_code.sub(/^#{prefix}/, '')