aws-sdk-core 3.232.0 → 3.246.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ecdbb0ca615cde813f52b03861d36db189562c896e01499ed8dcd80768085300
-  data.tar.gz: 5ab8e9d52d9f7522afa27ff7c5c6e5e51f27f966ddba8bea62edb153307120c9
+  metadata.gz: f922871acf444deaef9037c130a6f9f5b85c42ea8244728aa863cdc00d529105
+  data.tar.gz: 23557f7949f3a6df2c7b50322d91fc5a4a4362e79c685553e2cb57ce04d93e19
 SHA512:
-  metadata.gz: b23f5bc51a113cfb8b6c0f7306d42c97872d2eff0c5fa0b395b9e714045c8a3446e91313d6d17317419520229ea809097e3abb794f2f448bd698ec982841032f
-  data.tar.gz: a02785a5b072cb04d27203fb6e990cfa01b10c59f8abdb221b0181b4d07d56a04d0bcc67f308a10fbeba0f3facdadabb77918815e10dbcd8629df25a6d41cc42
+  metadata.gz: 0574045e0ec195f54aa84ce917e3d1e64cca6063f6114d10b3daf15e7aebd8734de3a79c0d3d6d6676c0810a136d0c6c662293a9935bf769875a6408213565f9
+  data.tar.gz: d526ae465f9ddc6f954526bf75459143def62a1c87f7551d0979650ff7dc10b12a00f666acc5da63a23f7f4e22d588891b56079ad9c202eb97281876f6dd1937

data/CHANGELOG.md

@@ -1,6 +1,132 @@
 Unreleased Changes
 ------------------
 
+3.246.0 (2026-04-23)
+------------------
+
+* Feature - Updated configuration values for `defaults_mode`.
+
+3.245.0 (2026-04-17)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - The STS client now supports configuring SigV4a through the auth scheme preference setting. SigV4a uses asymmetric cryptography, enabling customers using long-term IAM credentials to continue making STS API calls even when a region is isolated from the partition leader.
+
+* Issue - Explicitly set 0600 permissions on SSO/login cache files.
+
+3.244.0 (2026-03-18)
+------------------
+
+* Feature - Support waiter error matcher to handle both boolean and boolean-string acceptors.
+
+3.243.0 (2026-03-05)
+------------------
+
+* Feature - Add user agent metrics for S3 Transfer Manager directory operations.
+
+3.242.0 (2026-02-02)
+------------------
+
+* Feature - Include HTTP status code and body in errors whehn retrieving ECS credentials and Instance Profile credentials.
+
+3.241.4 (2026-01-16)
+------------------
+
+* Issue - Rewind IO during initialization for `AwsChunkedTrailerDigestIO`.
+
+3.241.3 (2026-01-08)
+------------------
+
+* Issue - Disable request trailer checksums when using non-HTTPs endpoints.
+
+3.241.2 (2026-01-07)
+------------------
+
+* Issue - Preserve existing Content-Encoding when applying request trailer checksum.
+
+3.241.1 (2026-01-06)
+------------------
+
+* Issue - Fix memory leak in ClockSkew retry plugin by normalizing endpoints to prevent unlimited hash growth.
+
+3.241.0 (2026-01-05)
+------------------
+
+* Feature - Improved memory efficiency when calculating request checksums.
+
+3.240.0 (2025-12-16)
+------------------
+
+* Feature - Updated configuration values for `defaults_mode`.
+
+* Issue - Prioritizes JSON over CBOR when both are supported for stubbed clients.
+
+3.239.2 (2025-11-25)
+------------------
+
+* Issue - Fix `login_credentials` in credentials chain when config is enabled.
+
+3.239.1 (2025-11-21)
+------------------
+
+* Issue - Fixed HTTP/2 connection issues when using custom ports.
+
+3.239.0 (2025-11-20)
+------------------
+
+* Feature - Updated Aws::Signin::Client with the latest API changes.
+
+* Issue - Fix region configuration for LoginCredential's Signin client.
+
+3.238.0 (2025-11-19)
+------------------
+
+* Feature - Updated Aws::Signin::Client with the latest API changes.
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - IAM now supports outbound identity federation via the STS GetWebIdentityToken API, enabling AWS workloads to securely authenticate with external services using short-lived JSON Web Tokens.
+
+* Feature - Add `LoginCredentials` which retrieves credentials from AWS Sign-In. Support `aws-sdk-signin` alias gem.
+
+3.237.0 (2025-11-10)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Added GetDelegatedAccessToken API, which is not available for general use at this time.
+
+3.236.0 (2025-10-30)
+------------------
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Update endpoint ruleset parameters casing
+
+3.235.0 (2025-10-24)
+------------------
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - Update endpoint ruleset parameters casing
+
+3.234.0 (2025-10-21)
+------------------
+
+* Issue - Fix `request_checksum_calculation` `when_required` mode to only calculate checksums when explicitly provided by user.
+
+* Feature - Add `CREDENTIALS_CODE` metric for `static_profile_` prefixed methods in default credential chain.
+
+3.233.0 (2025-09-23)
+------------------
+
+* Feature - Updated Aws::SSOOIDC::Client with the latest API changes.
+
+* Feature - This release includes exception definition and documentation updates.
+
 3.232.0 (2025-08-28)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.232.0
+3.246.0

data/lib/aws-sdk-core/assume_role_credentials.rb

@@ -7,7 +7,7 @@ module Aws
   # {Aws::STS::Client#assume_role}.
   #
   #     role_credentials = Aws::AssumeRoleCredentials.new(
-  #       client: Aws::STS::Client.new(...),
+  #       client: Aws::STS::Client.new(sts_options),
   #       role_arn: "linked::account::arn",
   #       role_session_name: "session-name"
   #     )
@@ -28,15 +28,15 @@ module Aws
     # @option options [Integer] :duration_seconds
     # @option options [String] :external_id
     # @option options [STS::Client] :client
-    # @option options [Callable] before_refresh Proc called before
+    # @option options [Proc] :before_refresh A Proc called before
     #   credentials are refreshed.  Useful for updating tokens.
-    #   `before_refresh` is called when AWS credentials are
-    #   required and need to be refreshed. Tokens can be refreshed using
-    #   the following example:
+    #   `:before_refresh` is called when AWS credentials are
+    #   required and need to be refreshed. See the example in this doc.
     #
-    #      before_refresh = Proc.new do |assume_role_credentials| do
-    #        assume_role_credentials.assume_role_params['token_code'] = update_token
-    #      end
+    # @example Tokens can be refreshed using a Proc.
+    #   before_refresh = Proc.new do |assume_role_credentials|
+    #     assume_role_credentials.assume_role_params['token_code'] = update_token
+    #   end
     #
     def initialize(options = {})
       client_opts = {}

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -9,11 +9,11 @@ module Aws
   # {Aws::STS::Client#assume_role_with_web_identity}.
   #
   #     role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
-  #       client: Aws::STS::Client.new(...),
+  #       client: Aws::STS::Client.new(sts_options),
   #       role_arn: "linked::account::arn",
   #       web_identity_token_file: "/path/to/token/file",
   #       role_session_name: "session-name"
-  #       ...
+  #       # ...
   #     )
   #     ec2 = Aws::EC2::Client.new(credentials: role_credentials)
   #

data/lib/aws-sdk-core/client_stubs.rb

@@ -280,6 +280,12 @@ module Aws
     end
 
     def protocol_helper
+      # Prioritize JSON over CBOR when CBOR is the configured protocol but both are supported. This is to match similar
+      # prioritization in service.rb code generation.
+      if @config.api.metadata['protocol'] == 'smithy-rpc-v2-cbor' && @config.api.metadata['protocols']&.include?('json')
+        return Stubbing::Protocols::Json.new
+      end
+
       case @config.api.metadata['protocol']
       when 'json'               then Stubbing::Protocols::Json
       when 'rest-json'          then Stubbing::Protocols::RestJson

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -11,7 +11,7 @@ module Aws
     def resolve
       providers.each do |method_name, options|
         provider = send(method_name, options.merge(config: @config))
-        return provider if provider && provider.set?
+        return provider if provider&.set?
       end
       nil
     end
@@ -25,12 +25,14 @@ module Aws
         [:static_profile_sso_credentials, {}],
         [:static_profile_assume_role_credentials, {}],
         [:static_profile_credentials, {}],
+        [:static_profile_login_credentials, {}],
         [:static_profile_process_credentials, {}],
         [:env_credentials, {}],
         [:assume_role_web_identity_credentials, {}],
         [:sso_credentials, {}],
         [:assume_role_credentials, {}],
         [:shared_credentials, {}],
+        [:login_credentials, {}],
         [:process_credentials, {}],
         [:instance_profile_credentials, {
           retries: @config ? @config.instance_profile_credentials_retries : 0,
@@ -54,47 +56,80 @@ module Aws
     end
 
     def static_profile_assume_role_web_identity_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        Aws.shared_config.assume_role_web_identity_credentials_from_config(
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.assume_role_web_identity_credentials_from_config(
           profile: options[:config].profile,
           region: options[:config].region
         )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_sso_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        Aws.shared_config.sso_credentials_from_config(
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.sso_credentials_from_config(
           profile: options[:config].profile
         )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_assume_role_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        assume_role_with_profile(options, options[:config].profile)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = assume_role_with_profile(options, options[:config].profile)
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
     end
 
     def static_profile_credentials(options)
-      if options[:config] && options[:config].profile
-        creds = SharedCredentials.new(profile_name: options[:config].profile)
-        creds.metrics = ['CREDENTIALS_PROFILE']
-        creds
-      end
+      return unless options[:config]&.profile
+
+      creds = SharedCredentials.new(profile_name: options[:config].profile)
+      creds.metrics << 'CREDENTIALS_PROFILE'
+      creds
     rescue Errors::NoSuchProfileError
       nil
     end
 
-    def static_profile_process_credentials(options)
-      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
-        process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
-        if process_provider
-          creds = ProcessCredentials.new([process_provider])
-          creds.metrics << 'CREDENTIALS_PROFILE_PROCESS'
-          creds
-        end
+    def static_profile_login_credentials(options)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.login_credentials_from_config(
+          profile: options[:config].profile,
+          region: options[:config].region
+        )
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
       end
+    end
+
+    def static_profile_process_credentials(options)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      process_provider = Aws.shared_config.credential_process(profile: options[:config].profile)
+      return unless process_provider
+
+      creds = ProcessCredentials.new([process_provider])
+      creds.metrics.concat(%w[CREDENTIALS_PROFILE_PROCESS CREDENTIALS_CODE])
+      creds
     rescue Errors::NoSuchProfileError
       nil
     end
@@ -122,7 +157,7 @@ module Aws
     end
 
     def determine_profile_name(options)
-      (options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+      (options[:config]&.profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
     end
 
     def shared_credentials(options)
@@ -134,6 +169,16 @@ module Aws
       nil
     end
 
+    def login_credentials(options)
+      return unless Aws.shared_config.config_enabled?
+
+      profile_name = determine_profile_name(options)
+      region = options[:config].region if options[:config]
+      Aws.shared_config.login_credentials_from_config(profile: profile_name, region: region)
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
     def process_credentials(options)
       profile_name = determine_profile_name(options)
       if Aws.shared_config.config_enabled?
@@ -201,10 +246,14 @@ module Aws
         profile: profile_name,
         chain_config: @config
       }
-      if options[:config] && options[:config].region
+      if options[:config]&.region
         assume_opts[:region] = options[:config].region
       end
       Aws.shared_config.assume_role_credentials_from_config(assume_opts)
     end
+
+    def with_metrics(metrics, &block)
+      Aws::Plugins::UserAgent.metric(*metrics, &block)
+    end
   end
 end

data/lib/aws-sdk-core/ecs_credentials.rb

@@ -15,7 +15,17 @@ module Aws
     include RefreshingCredentials
 
     # @api private
-    class Non200Response < RuntimeError; end
+    class Non200Response < RuntimeError
+      attr_reader :status_code, :body
+
+      def initialize(status_code, body = nil)
+        @status_code = status_code
+        @body = body
+        msg = "HTTP #{status_code}"
+        msg += ": #{body}" if body && !body.empty?
+        super(msg)
+      end
+    end
 
     # Raised when the token file cannot be read.
     class TokenFileReadError < RuntimeError; end
@@ -42,26 +52,26 @@ module Aws
     # @option options [Integer] :retries (5) Number of times to retry
     #   when retrieving credentials.
     # @option options [String] :ip_address ('169.254.170.2') This value is
-    #   ignored if `endpoint` is set and `credential_path` is not set.
-    # @option options [Integer] :port (80) This value is ignored if `endpoint`
-    #   is set and `credential_path` is not set.
+    #   ignored if `:endpoint` is set and `:credential_path` is not set.
+    # @option options [Integer] :port (80) This value is ignored if `:endpoint`
+    #   is set and `:credential_path` is not set.
     # @option options [String] :credential_path By default, the value of the
-    #   AWS_CONTAINER_CREDENTIALS_RELATIVE_URI environment variable.
+    #   `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI` environment variable.
     # @option options [String] :endpoint The container credential endpoint.
-    #   By default, this is the value of the AWS_CONTAINER_CREDENTIALS_FULL_URI
-    #   environment variable. This value is ignored if `credential_path` or
-    #   ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'] is set.
+    #   By default, this is the value of the `AWS_CONTAINER_CREDENTIALS_FULL_URI`
+    #   environment variable. This value is ignored if `:credential_path` or
+    #   `ENV['AWS_CONTAINER_CREDENTIALS_RELATIVE_URI']` is set.
     # @option options [Float] :http_open_timeout (5)
     # @option options [Float] :http_read_timeout (5)
-    # @option options [Numeric, Proc] :delay By default, failures are retried
+    # @option options [IO] :http_debug_output (nil) HTTP wire
+    #   traces are sent to this object.  You can specify something
+    #   like `$stdout`.
+    # @option options [Numeric, Proc] :backoff By default, failures are retried
     #   with exponential back-off, i.e. `sleep(1.2 ** num_failures)`. You can
     #   pass a number of seconds to sleep between failed attempts, or
     #   a Proc that accepts the number of failures.
-    # @option options [IO] :http_debug_output (nil) HTTP wire
-    #   traces are sent to this object.  You can specify something
-    #   like $stdout.
-    # @option options [Callable] before_refresh Proc called before
-    #   credentials are refreshed. `before_refresh` is called
+    # @option options [Proc] :before_refresh A Proc called before
+    #   credentials are refreshed. `:before_refresh` is called
     #   with an instance of this object when
     #   AWS credentials are required and need to be refreshed.
     def initialize(options = {})
@@ -251,7 +261,7 @@ module Aws
       request = Net::HTTP::Get.new(path)
       set_authorization_token(request)
       response = connection.request(request)
-      raise Non200Response unless response.code.to_i == 200
+      raise Non200Response.new(response.code.to_i, response.body) unless response.code.to_i == 200
 
       response.body
     end

data/lib/aws-sdk-core/errors.rb

@@ -213,6 +213,9 @@ module Aws
     # Raised when SSO Token is invalid
     class InvalidSSOToken < RuntimeError; end
 
+    # Raised when Login Token is invalid
+    class InvalidLoginToken < RuntimeError; end
+
     # Raised when a client is unable to sign a request because
     # the bearer token is not configured or available
     class MissingBearerTokenError < RuntimeError

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -26,7 +26,17 @@ module Aws
     include RefreshingCredentials
 
     # @api private
-    class Non200Response < RuntimeError; end
+    class Non200Response < RuntimeError
+      attr_reader :status_code, :body
+
+      def initialize(status_code, body = nil)
+        @status_code = status_code
+        @body = body
+        msg = "HTTP #{status_code}"
+        msg += ": #{body}" if body && !body.empty?
+        super(msg)
+      end
+    end
 
     # @api private
     class TokenRetrivalError < RuntimeError; end
@@ -57,6 +67,9 @@ module Aws
 
     # @param [Hash] options
     # @option options [Integer] :retries (1) Number of times to retry when retrieving credentials.
+    # @option options [Numeric, Proc] :backoff By default, failures are retried with exponential back-off, i.e.
+    #   `lambda { |num_failures| sleep(1.2 ** num_failures) }`. You can pass a number of seconds to sleep
+    #   between failed attempts, or a Proc that accepts the number of failures.
     # @option options [String] :endpoint ('http://169.254.169.254') The IMDS endpoint. This option has precedence
     #    over the `:endpoint_mode`.
     # @option options [String] :endpoint_mode ('IPv4') The endpoint mode for the instance metadata service. This is
@@ -67,14 +80,11 @@ module Aws
     # @option options [Integer] :port (80)
     # @option options [Float] :http_open_timeout (1)
     # @option options [Float] :http_read_timeout (1)
-    # @option options [Numeric, Proc] :delay By default, failures are retried with exponential back-off, i.e.
-    #   `sleep(1.2 ** num_failures)`. You can pass a number of seconds to sleep between failed attempts, or a Proc
-    #   that accepts the number of failures.
     # @option options [IO] :http_debug_output (nil) HTTP wire traces are sent to this object.
     #   You can specify something like `$stdout`.
-    # @option options [Integer] :token_ttl Time-to-Live in seconds for EC2 Metadata Token used for fetching
-    #   Metadata Profile Credentials, defaults to 21600 seconds.
-    # @option options [Callable] :before_refresh Proc called before credentials are refreshed. `before_refresh`
+    # @option options [Integer] :token_ttl (21600) Time-to-Live in seconds for EC2 Metadata Token used for fetching
+    #   Metadata Profile Credentials.
+    # @option options [Proc] :before_refresh A Proc called before credentials are refreshed. `:before_refresh`
     #   is called with an instance of this object when AWS credentials are required and need to be refreshed.
     def initialize(options = {})
       @backoff = resolve_backoff(options[:backoff])
@@ -95,7 +105,7 @@ module Aws
       super
     end
 
-    # @return [Boolean0
+    # @return [Boolean]
     attr_reader :disable_imds_v1
 
     # @return [Integer]
@@ -249,7 +259,7 @@ module Aws
       # The next retry should fetch it
       @token = nil
       @imds_v1_fallback = false
-      raise Non200Response
+      raise Non200Response.new(401, 'Token expired')
     end
 
     def token_set?
@@ -278,7 +288,7 @@ module Aws
       when 401
         raise TokenExpiredError
       else
-        raise Non200Response
+        raise Non200Response.new(response.code.to_i, response.body)
       end
     end
 
@@ -298,7 +308,7 @@ module Aws
       when 400
         raise TokenRetrivalError
       else
-        raise Non200Response
+        raise Non200Response.new(response.code.to_i, response.body)
       end
     end