aws-sdk-core 3.54.2 → 3.75.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 957c22992e76e2f143a965bd0ec0b377f9ad95ac
-  data.tar.gz: a2aae223f15b9a3d0df478ce8eabd8b8a48136b8
+  metadata.gz: 194df940a18e57a3fbf75e09c42328b35988c17e
+  data.tar.gz: fa8cf2d891ba162504b4a7cee3708fcca2078691
 SHA512:
-  metadata.gz: e35f246d2a7ffa5789ec88035a55e4b6def9e99322f9560b53d70c21acfd34b11a6f0e248d8063af33e4d59a4c1a50f905d84434c35c99873b6093a4da9c64bb
-  data.tar.gz: 6e1ad990cd9343153d41a8f92f8f4801eb703504e4ec23da383496ebc2d994f448f85a30b11ad5726946bbbc7f2512897e569c3efc9383af672b998c2b925377
+  metadata.gz: 2000eaec703020824d47772c672bc3465cc0a41b060455b7bec2dcdee009f44568c60417a378d5fd3d5981cd84767a1a5c46af7d78f0b211f43335e0a9e3d5ee
+  data.tar.gz: a5162ca9178f3333608650761ffa90e5dadace299da423ecbc7ce63bd16c45f513c563a44fcdc73bd0ffbd34bc96905a1184c1ee6f9b0b7d582e25630a475bee

data/VERSION

@@ -1 +1 @@
-3.54.2
+3.75.0

data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb

@@ -0,0 +1,101 @@
+require 'set'
+require 'securerandom'
+require 'base64'
+
+module Aws
+
+  # An auto-refreshing credential provider that works by assuming
+  # a role via {Aws::STS::Client#assume_role_with_web_identity}.
+  #
+  #     role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
+  #       client: Aws::STS::Client.new(...),
+  #       role_arn: "linked::account::arn",
+  #       web_identity_token_file: "/path/to/token/file",
+  #       role_session_name: "session-name"
+  #       ...
+  #     )
+  #     For full list of parameters accepted
+  #     @see Aws::STS::Client#assume_role_with_web_identity 
+  #
+  #
+  # If you omit `:client` option, a new {STS::Client} object will be
+  # constructed.
+  class AssumeRoleWebIdentityCredentials
+
+    include CredentialProvider
+    include RefreshingCredentials
+
+    # @option options [required, String] :role_arn the IAM role
+    #   to be assumed
+    #
+    # @option options [required, String] :web_identity_token_file
+    #   absolute path to the file on disk containing OIDC token
+    #
+    # @option options [String] :role_session_name the IAM session
+    #   name used to distinguish session, when not provided, base64
+    #   encoded UUID is generated as the session name
+    #
+    # @option options [STS::Client] :client
+    def initialize(options = {})
+      client_opts = {}
+      @assume_role_web_identity_params = {}
+      @token_file = options.delete(:web_identity_token_file)
+      options.each_pair do |key, value|
+        if self.class.assume_role_web_identity_options.include?(key)
+          @assume_role_web_identity_params[key] = value
+        else
+          client_opts[key] = value
+        end
+      end
+
+      unless @assume_role_web_identity_params[:role_session_name]
+        # not provided, generate encoded UUID as session name
+        @assume_role_web_identity_params[:role_session_name] = _session_name
+      end
+      @client = client_opts[:client] || STS::Client.new(client_opts.merge(credentials: false))
+      super
+    end
+
+    # @return [STS::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # read from token file everytime it refreshes
+      @assume_role_web_identity_params[:web_identity_token] = _token_from_file(@token_file)
+
+      c = @client.assume_role_with_web_identity(
+        @assume_role_web_identity_params).credentials
+      @credentials = Credentials.new(
+        c.access_key_id,
+        c.secret_access_key,
+        c.session_token
+      )
+      @expiration = c.expiration
+    end
+
+    def _token_from_file(path)
+      unless path && File.exist?(path)
+        raise Aws::Errors::MissingWebIdentityTokenFile.new
+      end
+      File.read(path)
+    end
+
+    def _session_name
+      Base64.strict_encode64(SecureRandom.uuid)
+    end
+
+    class << self
+
+      # @api private
+      def assume_role_web_identity_options
+        @arwio ||= begin
+          input = STS::Client.api.operation(:assume_role_with_web_identity).input
+          Set.new(input.shape.member_names)
+        end
+      end
+
+    end
+  end
+end

data/lib/aws-sdk-core/client_side_monitoring/publisher.rb

@@ -6,8 +6,10 @@ module Aws
     # @api private
     class Publisher
       attr_reader :agent_port
+      attr_reader :agent_host
 
       def initialize(opts = {})
+        @agent_host = opts[:agent_host] || "127.0.0.1"
         @agent_port = opts[:agent_port]
         @mutex = Mutex.new
       end
@@ -18,6 +20,12 @@ module Aws
         end
       end
 
+      def agent_host=(value)
+        @mutex.synchronize do
+          @agent_host = value
+        end
+      end
+
       def publish(request_metrics)
         send_datagram(request_metrics.api_call.to_json)
         request_metrics.api_call_attempts.each do |attempt|
@@ -29,7 +37,7 @@ module Aws
         if @agent_port
           socket = UDPSocket.new
           begin
-            socket.connect("127.0.0.1", @agent_port)
+            socket.connect(@agent_host, @agent_port)
             socket.send(msg, 0)
           rescue Errno::ECONNREFUSED
             # Drop on the floor

data/lib/aws-sdk-core/credential_provider.rb

@@ -1,10 +1,6 @@
-require_relative 'deprecations'
-
 module Aws
   module CredentialProvider
 
-    extend Deprecations
-
     # @return [Credentials]
     attr_reader :credentials
 
@@ -13,32 +9,5 @@ module Aws
       !!credentials && credentials.set?
     end
 
-    # @deprecated Deprecated in 2.1.0. This method is subject to errors
-    #   from a race condition when called against refreshable credential
-    #   objects. Will be removed in 2.2.0.
-    # @see #credentials
-    def access_key_id
-      credentials ? credentials.access_key_id : nil
-    end
-    deprecated(:access_key_id, use: '#credentials')
-
-    # @deprecated Deprecated in 2.1.0. This method is subject to errors
-    #   from a race condition when called against refreshable credential
-    #   objects. Will be removed in 2.2.0.
-    # @see #credentials
-    def secret_access_key
-      credentials ? credentials.secret_access_key : nil
-    end
-    deprecated(:secret_access_key, use: '#credentials')
-
-    # @deprecated Deprecated in 2.1.0. This method is subject to errors
-    #   from a race condition when called against refreshable credential
-    #   objects. Will be removed in 2.2.0.
-    # @see #credentials
-    def session_token
-      credentials ? credentials.session_token : nil
-    end
-    deprecated(:session_token, use: '#credentials')
-
   end
 end

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -21,6 +21,7 @@ module Aws
       [
         [:static_credentials, {}],
         [:env_credentials, {}],
+        [:assume_role_web_identity_credentials, {}],
         [:assume_role_credentials, {}],
         [:shared_credentials, {}],
         [:process_credentials, {}],
@@ -59,22 +60,20 @@ module Aws
       nil
     end
 
+    def determine_profile_name(options)
+      (options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+    end
+
     def shared_credentials(options)
-      if options[:config]
-        SharedCredentials.new(profile_name: options[:config].profile)
-      else
-        SharedCredentials.new(
-          profile_name: ENV['AWS_PROFILE'].nil? ? 'default' : ENV['AWS_PROFILE'])
-      end
+      profile_name = determine_profile_name(options)
+      SharedCredentials.new(profile_name: profile_name)
     rescue Errors::NoSuchProfileError
       nil
     end
 
     def process_credentials(options)
-      profile_name = options[:config].profile if options[:config]
-      profile_name ||= ENV['AWS_PROFILE'].nil? ? 'default' : ENV['AWS_PROFILE']
-      
       config = Aws.shared_config
+      profile_name = determine_profile_name(options)
       if config.config_enabled? && process_provider = config.credentials_process(profile_name)
         ProcessCredentials.new(process_provider)
       else
@@ -86,13 +85,23 @@ module Aws
 
     def assume_role_credentials(options)
       if Aws.shared_config.config_enabled?
-        profile, region = nil, nil
-        if options[:config]
-          profile = options[:config].profile
-          region = options[:config].region
-          assume_role_with_profile(options[:config].profile, options[:config].region)
-        end
-        assume_role_with_profile(profile, region)
+        assume_role_with_profile(options)
+      else
+        nil
+      end
+    end
+
+    def assume_role_web_identity_credentials(options)
+      if (role_arn = ENV['AWS_ROLE_ARN']) &&
+        (token_file = ENV['AWS_WEB_IDENTITY_TOKEN_FILE'])
+        AssumeRoleWebIdentityCredentials.new(
+          role_arn: role_arn,
+          web_identity_token_file: token_file,
+          role_session_name: ENV['AWS_ROLE_SESSION_NAME']
+        )
+      elsif Aws.shared_config.config_enabled?
+        profile = options[:config].profile if options[:config]
+        Aws.shared_config.assume_role_web_identity_credentials_from_config(profile)
       else
         nil
       end
@@ -106,9 +115,11 @@ module Aws
       end
     end
 
-    def assume_role_with_profile(prof, region)
+    def assume_role_with_profile(options)
+      profile_name = determine_profile_name(options)
+      region = (options[:config] && options[:config].region)
       Aws.shared_config.assume_role_credentials_from_config(
-        profile: prof,
+        profile: profile_name,
         region: region,
         chain_config: @config
       )

data/lib/aws-sdk-core/deprecations.rb

@@ -35,33 +35,39 @@ module Aws
   # @api private
   module Deprecations
 
-    # @param [Symbol] method_name The name of the deprecated method.
+    # @param [Symbol] method The name of the deprecated method.
     #
     # @option options [String] :message The warning message to issue
     #   when the deprecated method is called.
     #
-    # @option options [Symbol] :use The name of an use
-    #   method that should be used.
+    # @option options [String] :use The name of a method that should be used.
     #
-    def deprecated(method_name, options = {})
+    # @option options [String] :version The version that will remove the
+    #   deprecated method.
+    #
+    def deprecated(method, options = {})
 
       deprecation_msg = options[:message] || begin
-        msg = "DEPRECATION WARNING: called deprecated method `#{method_name}' "
-        msg << "of an #{self}"
-        msg << ", use #{options[:use]} instead" if options[:use]
+        msg = "#################### DEPRECATION WARNING ####################\n"
+        msg << "Called deprecated method `#{method}` of #{self}."
+        msg << " Use `#{options[:use]}` instead.\n" if options[:use]
+        if options[:version]
+          msg << "Method `#{method}` will be removed in #{options[:version]}."
+        end
+        msg << "\n#############################################################"
         msg
       end
 
-      alias_method(:"deprecated_#{method_name}", method_name)
+      alias_method(:"deprecated_#{method}", method)
 
       warned = false # we only want to issue this warning once
 
-      define_method(method_name) do |*args,&block|
+      define_method(method) do |*args, &block|
         unless warned
           warned = true
           warn(deprecation_msg + "\n" + caller.join("\n"))
         end
-        send("deprecated_#{method_name}", *args, &block)
+        send("deprecated_#{method}", *args, &block)
       end
     end
 

data/lib/aws-sdk-core/endpoint_cache.rb

@@ -47,8 +47,8 @@ module Aws
       @mutex.synchronize do
         # delete the least recent used endpoint when cache is full
         unless @entries.size < @max_entries
-          old_key, _ = @entries.shift
-          self.delete_polling_thread(old_key)
+          old_key, = @entries.shift
+          delete_polling_thread(old_key)
         end
         # delete old value if exists
         @entries.delete(key)
@@ -60,10 +60,12 @@ module Aws
     # @param [String] key
     # @return [Boolean]
     def key?(key)
-      if @entries.key?(key) && (@entries[key].nil? || @entries[key].expired?)
-        self.delete(key)
+      @mutex.synchronize do
+        if @entries.key?(key) && (@entries[key].nil? || @entries[key].expired?)
+          @entries.delete(key)
+        end
+        @entries.key?(key)
       end
-      @entries.key?(key)
     end
 
     # checking whether an polling thread exist for the key
@@ -84,7 +86,7 @@ module Aws
     # kill the old polling thread and remove it from pool
     # @param [String] key
     def delete_polling_thread(key)
-      Thread.kill(@pool[key]) if self.threads_key?(key)
+      Thread.kill(@pool[key]) if threads_key?(key)
       @pool.delete(key)
     end
 
@@ -109,7 +111,7 @@ module Aws
       if _endpoint_operation_identifier(ctx)
         parts << ctx.operation_name
         ctx.operation.input.shape.members.inject(parts) do |p, (name, ref)|
-          p << ctx.params[name] if ref["endpointdiscoveryid"]
+          p << ctx.params[name] if ref['endpointdiscoveryid']
           p
         end
       end
@@ -141,7 +143,7 @@ module Aws
         # build identifier params when available
         params[:operation] = ctx.operation.name
         ctx.operation.input.shape.members.inject(params) do |p, (name, ref)|
-          if ref["endpointdiscoveryid"]
+          if ref['endpointdiscoveryid']
             p[:identifiers] ||= {}
             p[:identifiers][ref.location_name] = ctx.params[name]
           end
@@ -153,19 +155,20 @@ module Aws
         endpoint_operation_name = ctx.config.api.endpoint_operation
         ctx.client.send(endpoint_operation_name, params)
       rescue Aws::Errors::ServiceError
-        nil 
+        nil
       end
     end
 
     def _endpoint_operation_identifier(ctx)
       return @require_identifier unless @require_identifier.nil?
+
       operation_name = ctx.config.api.endpoint_operation
       operation = ctx.config.api.operation(operation_name)
       @require_identifier = operation.input.shape.members.any?
     end
 
     class Endpoint
-    
+
       # default endpoint cache time, 1 minute
       CACHE_PERIOD = 1
 
@@ -175,7 +178,7 @@ module Aws
         @created_time = Time.now
       end
 
-      # [String] valid URI address (with path) 
+      # [String] valid URI address (with path)
       attr_reader :address
 
       def expired?

data/lib/aws-sdk-core/errors.rb

@@ -158,6 +158,18 @@ module Aws
       end
     end
 
+    # Raised when :web_identity_token_file parameter is not
+    # provided or the file doesn't exist when initializing
+    # AssumeRoleWebIdentityCredentials credential provider
+    class MissingWebIdentityTokenFile < RuntimeError
+      def initialize(*args)
+        msg = 'Missing :web_identity_token_file parameter or'\
+          ' invalid file path provided for'\
+          ' Aws::AssumeRoleWebIdentityCredentials provider'
+        super(msg)
+      end
+    end
+
     # Raised when a credentials provider process returns a JSON
     # payload with either invalid version number or malformed contents
     class InvalidProcessCredentialsPayload < RuntimeError; end

data/lib/aws-sdk-core/instance_profile_credentials.rb

@@ -51,8 +51,9 @@ module Aws
       super
     end
 
-    # @return [Integer] The number of times to retry failed attempts to
-    #   fetch credentials from the instance metadata service. Defaults to 0.
+    # @return [Integer] Number of times to retry when retrieving credentials
+    #   from the instance metadata service. Defaults to 0 when resolving from
+    #   the default credential chain ({Aws::CredentialProviderChain}).
     attr_reader :retries
 
     private

data/lib/aws-sdk-core/json.rb

@@ -23,7 +23,7 @@ module Aws
 
       def load(json)
         ENGINE.load(json, *ENGINE_LOAD_OPTIONS)
-      rescue ENGINE_ERROR => e
+      rescue *ENGINE_ERRORS => e
         raise ParseError.new(e)
       end
 
@@ -45,21 +45,21 @@ module Aws
       end
 
       def json_engine
-        [JSON, [], [], JSON::ParserError]
+        [JSON, [], [], [JSON::ParserError]]
       end
 
       def oj_parse_error
         if Oj.const_defined?('ParseError')
-          Oj::ParseError
+          [Oj::ParseError, EncodingError]
         else
-          SyntaxError
+          [SyntaxError]
         end
       end
 
     end
 
     # @api private
-    ENGINE, ENGINE_LOAD_OPTIONS, ENGINE_DUMP_OPTIONS, ENGINE_ERROR =
+    ENGINE, ENGINE_LOAD_OPTIONS, ENGINE_DUMP_OPTIONS, ENGINE_ERRORS =
       oj_engine || json_engine
 
   end

data/lib/aws-sdk-core/log/param_filter.rb

@@ -11,7 +11,7 @@ module Aws
       #
       # @api private
       # begin
-      SENSITIVE = [:access_token, :account_name, :account_password, :address, :admin_contact, :admin_password, :artifact_credentials, :auth_code, :authentication_token, :authorization_result, :backup_plan_tags, :backup_vault_tags, :base_32_string_seed, :body, :bot_configuration, :bot_email, :cause, :client_id, :client_secret, :configuration, :copy_source_sse_customer_key, :credentials, :current_password, :custom_attributes, :db_password, :default_phone_number, :definition, :description, :display_name, :e164_phone_number, :email, :email_address, :email_message, :embed_url, :error, :feedback_token, :file, :first_name, :id, :id_token, :input, :input_text, :key_id, :key_store_password, :kms_key_id, :kms_master_key_id, :lambda_function_arn, :last_name, :local_console_password, :master_account_email, :master_user_password, :message, :name, :new_password, :next_password, :notes, :old_password, :outbound_events_https_endpoint, :output, :owner_information, :parameters, :passphrase, :password, :payload, :phone_number, :plaintext, :previous_password, :primary_email, :primary_provisioned_number, :private_key, :proposed_password, :public_key, :qr_code_png, :query, :recovery_point_tags, :refresh_token, :registrant_contact, :request_attributes, :search_query, :secret_access_key, :secret_binary, :secret_code, :secret_hash, :secret_string, :secret_to_authenticate_initiator, :secret_to_authenticate_target, :security_token, :service_password, :session_attributes, :share_notes, :shared_secret, :slots, :sse_customer_key, :ssekms_key_id, :status_message, :tag_key_list, :tags, :task_parameters, :tech_contact, :temporary_password, :text, :token, :trust_password, :upload_credentials, :upload_url, :user_email, :user_name, :username, :value, :values, :variables, :zip_file]
+      SENSITIVE = [:access_token, :account_name, :account_password, :address, :admin_contact, :admin_password, :artifact_credentials, :auth_code, :authentication_token, :authorization_result, :backup_plan_tags, :backup_vault_tags, :base_32_string_seed, :block, :block_address, :body, :bot_configuration, :bot_email, :calling_name, :cause, :client_id, :client_secret, :comment, :configuration, :copy_source_sse_customer_key, :credentials, :current_password, :custom_attributes, :custom_private_key, :db_password, :default_phone_number, :definition, :description, :digest_tip_address, :display_name, :e164_phone_number, :email, :email_address, :email_message, :embed_url, :error, :feedback_token, :file, :first_name, :host_key, :id, :id_token, :input, :input_text, :ion_text, :key_id, :key_material, :key_store_password, :kms_key_id, :kms_master_key_id, :lambda_function_arn, :last_name, :local_console_password, :master_account_email, :master_user_password, :message, :name, :new_password, :next_password, :notes, :number, :old_password, :outbound_events_https_endpoint, :output, :owner_information, :parameters, :passphrase, :password, :payload, :phone_number, :plaintext, :previous_password, :primary_email, :primary_provisioned_number, :private_key, :proof, :proposed_password, :public_key, :qr_code_png, :query, :random_password, :recovery_point_tags, :refresh_token, :registrant_contact, :request_attributes, :revision, :search_query, :secret_access_key, :secret_binary, :secret_code, :secret_hash, :secret_string, :secret_to_authenticate_initiator, :secret_to_authenticate_target, :security_token, :service_password, :session_attributes, :share_notes, :shared_secret, :slots, :sse_customer_key, :ssekms_encryption_context, :ssekms_key_id, :status_message, :tag_key_list, :tags, :target_address, :task_parameters, :tech_contact, :temporary_password, :text, :token, :trust_password, :type, :upload_credentials, :upload_url, :uri, :user_data, :user_email, :user_name, :user_password, :username, :value, :values, :variables, :vpn_psk, :zip_file]
       # end
 
       def initialize(options = {})

data/lib/aws-sdk-core/param_validator.rb

@@ -141,8 +141,8 @@ module Aws
           errors << expected_got(context, "true or false", value)
         end
       when BlobShape
-        unless io_like?(value) or value.is_a?(String)
-          errors << expected_got(context, "a String or IO object", value)
+        unless value.is_a?(String) || io_like?(value)
+          errors << expected_got(context, "a String or File object", value)
         end
       else
         raise "unhandled shape type: #{ref.shape.class.name}"
@@ -166,9 +166,8 @@ module Aws
     end
 
     def io_like?(value)
-      value.respond_to?(:read) &&
-      value.respond_to?(:rewind) &&
-      value.respond_to?(:size)
+      value.respond_to?(:read) && value.respond_to?(:rewind) &&
+        value.respond_to?(:size)
     end
 
     def error_messages(errors)

data/lib/aws-sdk-core/plugins/client_metrics_plugin.rb

@@ -24,6 +24,16 @@ agent is running on, where client metrics will be published via UDP.
         resolve_client_side_monitoring_port(cfg)
       end
 
+      option(:client_side_monitoring_host,
+        default: "127.0.0.1",
+        doc_type: String,
+        docstring: <<-DOCS) do |cfg|
+Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client
+side monitoring agent is running on, where client metrics will be published via UDP.
+      DOCS
+        resolve_client_side_monitoring_host(cfg)
+      end
+
       option(:client_side_monitoring_publisher,
         default: ClientSideMonitoring::Publisher,
         doc_type: Aws::ClientSideMonitoring::Publisher,
@@ -49,6 +59,7 @@ all generated client side metrics. Defaults to an empty string.
           handlers.add(Handler, step: :initialize)
           publisher = config.client_side_monitoring_publisher
           publisher.agent_port = config.client_side_monitoring_port
+          publisher.agent_host = config.client_side_monitoring_host
         end
       end
 
@@ -70,6 +81,19 @@ all generated client side metrics. Defaults to an empty string.
         end
       end
 
+      def self.resolve_client_side_monitoring_host(cfg)
+        env_source = ENV["AWS_CSM_HOST"]
+        env_source = nil if env_source == ""
+        cfg_source = Aws.shared_config.csm_host(profile: cfg.profile)
+        if env_source
+          env_source
+        elsif cfg_source
+          cfg_source
+        else
+          "127.0.0.1"
+        end
+      end
+
       def self.resolve_client_side_monitoring(cfg)
         env_source = ENV["AWS_CSM_ENABLED"]
         env_source = nil if env_source == ""

data/lib/aws-sdk-core/plugins/regional_endpoint.rb

@@ -35,7 +35,9 @@ to test endpoints. This should be avalid HTTP(S) URI.
         DOCS
         endpoint_prefix = cfg.api.metadata['endpointPrefix']
         if cfg.region && endpoint_prefix
-          Aws::Partitions::EndpointProvider.resolve(cfg.region, endpoint_prefix)
+          sts_regional = cfg.respond_to?(:sts_regional_endpoints) ? cfg.sts_regional_endpoints : nil
+          Aws::Partitions::EndpointProvider.resolve(
+            cfg.region, endpoint_prefix, sts_regional)
         end
       end
 

data/lib/aws-sdk-core/plugins/retry_errors.rb

@@ -6,7 +6,7 @@ module Aws
     class RetryErrors < Seahorse::Client::Plugin
 
       EQUAL_JITTER = lambda { |delay| (delay / 2) + Kernel.rand(0..(delay/2))}
-      FULL_JITTER= lambda { |delay| Kernel.rand(0..delay) }
+      FULL_JITTER = lambda { |delay| Kernel.rand(0..delay) }
       NO_JITTER = lambda { |delay| delay }
 
       JITTERS = {
@@ -72,6 +72,8 @@ A delay randomiser function used by the default backoff function. Some predefine
           'UnrecognizedClientException', # json services
           'InvalidAccessKeyId',          # s3
           'AuthFailure',                 # ec2
+          'InvalidIdentityToken',        # sts
+          'ExpiredToken',                # route53
         ])
 
         THROTTLING_ERRORS = Set.new([
@@ -93,7 +95,8 @@ A delay randomiser function used by the default backoff function. Some predefine
         ])
 
         NETWORKING_ERRORS = Set.new([
-          'RequestTimeout', # s3
+          'RequestTimeout',         # s3
+          'IDPCommunicationError',  # sts
         ])
 
         def initialize(error, http_status_code)
@@ -116,6 +119,7 @@ A delay randomiser function used by the default backoff function. Some predefine
 
         def networking?
           @error.is_a?(Seahorse::Client::NetworkingError) ||
+          @error.is_a?(Errors::NoSuchEndpointError) ||
           NETWORKING_ERRORS.include?(@name)
         end
 
@@ -141,7 +145,7 @@ A delay randomiser function used by the default backoff function. Some predefine
             false
           end
         end
-          
+
         def retryable?(context)
           (expired_credentials? and refreshable_credentials?(context)) or
             throttling_error? or

data/lib/aws-sdk-core/process_credentials.rb

@@ -5,7 +5,7 @@ module Aws
   # A credential provider that executes a given process and attempts
   # to read its stdout to recieve a JSON payload containing the credentials
   #
-  # Automatically handles refreshing credentials if an Expiration time is 
+  # Automatically handles refreshing credentials if an Expiration time is
   # provided in the credentials payload
   #
   #     credentials = Aws::ProcessCredentials.new('/usr/bin/credential_proc').credentials
@@ -23,11 +23,11 @@ module Aws
     # external process to be used as a credential provider.
     #
     # @param [String] process Invocation string for process
-    # credentials provider. 
+    # credentials provider.
     def initialize(process)
       @process = process
       @credentials = credentials_from_process(@process)
-      
+
       super
     end