aws-sdk-core 3.54.2 → 3.75.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +101 -0
- data/lib/aws-sdk-core/client_side_monitoring/publisher.rb +9 -1
- data/lib/aws-sdk-core/credential_provider.rb +0 -31
- data/lib/aws-sdk-core/credential_provider_chain.rb +29 -18
- data/lib/aws-sdk-core/deprecations.rb +16 -10
- data/lib/aws-sdk-core/endpoint_cache.rb +14 -11
- data/lib/aws-sdk-core/errors.rb +12 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +3 -2
- data/lib/aws-sdk-core/json.rb +5 -5
- data/lib/aws-sdk-core/log/param_filter.rb +1 -1
- data/lib/aws-sdk-core/param_validator.rb +4 -5
- data/lib/aws-sdk-core/plugins/client_metrics_plugin.rb +24 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +3 -1
- data/lib/aws-sdk-core/plugins/retry_errors.rb +7 -3
- data/lib/aws-sdk-core/process_credentials.rb +3 -3
- data/lib/aws-sdk-core/shared_config.rb +74 -5
- data/lib/aws-sdk-core.rb +1 -0
- data/lib/aws-sdk-sts/client.rb +102 -17
- data/lib/aws-sdk-sts/client_api.rb +16 -0
- data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +32 -0
- data/lib/aws-sdk-sts/types.rb +53 -18
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/seahorse/client/base.rb +3 -1
- data/lib/seahorse/client/handler_list_entry.rb +2 -2
- data/lib/seahorse/client/plugin.rb +1 -1
- metadata +12 -4
|
@@ -99,12 +99,10 @@ module Aws
|
|
|
99
99
|
def credentials(opts = {})
|
|
100
100
|
p = opts[:profile] || @profile_name
|
|
101
101
|
validate_profile_exists(p) if credentials_present?
|
|
102
|
-
if credentials = credentials_from_shared(p, opts)
|
|
102
|
+
if (credentials = credentials_from_shared(p, opts))
|
|
103
103
|
credentials
|
|
104
|
-
elsif credentials = credentials_from_config(p, opts)
|
|
104
|
+
elsif (credentials = credentials_from_config(p, opts))
|
|
105
105
|
credentials
|
|
106
|
-
else
|
|
107
|
-
nil
|
|
108
106
|
end
|
|
109
107
|
end
|
|
110
108
|
|
|
@@ -121,6 +119,25 @@ module Aws
|
|
|
121
119
|
credentials
|
|
122
120
|
end
|
|
123
121
|
|
|
122
|
+
def assume_role_web_identity_credentials_from_config(profile)
|
|
123
|
+
p = profile || @profile_name
|
|
124
|
+
if @config_enabled && @parsed_config
|
|
125
|
+
entry = @parsed_config.fetch(p, {})
|
|
126
|
+
if entry['web_identity_token_file'] &&
|
|
127
|
+
entry['role_arn']
|
|
128
|
+
AssumeRoleWebIdentityCredentials.new(
|
|
129
|
+
role_arn: entry['role_arn'],
|
|
130
|
+
web_identity_token_file: entry['web_identity_token_file'],
|
|
131
|
+
role_session_name: entry['role_session_name']
|
|
132
|
+
)
|
|
133
|
+
else
|
|
134
|
+
nil
|
|
135
|
+
end
|
|
136
|
+
else
|
|
137
|
+
nil
|
|
138
|
+
end
|
|
139
|
+
end
|
|
140
|
+
|
|
124
141
|
def region(opts = {})
|
|
125
142
|
p = opts[:profile] || @profile_name
|
|
126
143
|
if @config_enabled
|
|
@@ -136,6 +153,21 @@ module Aws
|
|
|
136
153
|
end
|
|
137
154
|
end
|
|
138
155
|
|
|
156
|
+
def sts_regional_endpoints(opts = {})
|
|
157
|
+
p = opts[:profile] || @profile_name
|
|
158
|
+
if @config_enabled
|
|
159
|
+
if @parsed_credentials
|
|
160
|
+
mode = @parsed_credentials.fetch(p, {})["sts_regional_endpoints"]
|
|
161
|
+
end
|
|
162
|
+
if @parsed_config
|
|
163
|
+
mode ||= @parsed_config.fetch(p, {})["sts_regional_endpoints"]
|
|
164
|
+
end
|
|
165
|
+
mode
|
|
166
|
+
else
|
|
167
|
+
nil
|
|
168
|
+
end
|
|
169
|
+
end
|
|
170
|
+
|
|
139
171
|
def endpoint_discovery(opts = {})
|
|
140
172
|
p = opts[:profile] || @profile_name
|
|
141
173
|
if @config_enabled && @parsed_config
|
|
@@ -193,7 +225,23 @@ module Aws
|
|
|
193
225
|
end
|
|
194
226
|
end
|
|
195
227
|
|
|
228
|
+
def csm_host(opts = {})
|
|
229
|
+
p = opts[:profile] || @profile_name
|
|
230
|
+
if @config_enabled
|
|
231
|
+
if @parsed_credentials
|
|
232
|
+
value = @parsed_credentials.fetch(p, {})["csm_host"]
|
|
233
|
+
end
|
|
234
|
+
if @parsed_config
|
|
235
|
+
value ||= @parsed_config.fetch(p, {})["csm_host"]
|
|
236
|
+
end
|
|
237
|
+
value
|
|
238
|
+
else
|
|
239
|
+
nil
|
|
240
|
+
end
|
|
241
|
+
end
|
|
242
|
+
|
|
196
243
|
private
|
|
244
|
+
|
|
197
245
|
def credentials_present?
|
|
198
246
|
(@parsed_credentials && !@parsed_credentials.empty?) ||
|
|
199
247
|
(@parsed_config && !@parsed_config.empty?)
|
|
@@ -211,11 +259,12 @@ module Aws
|
|
|
211
259
|
"provide only source_profile or credential_source, not both."
|
|
212
260
|
)
|
|
213
261
|
elsif opts[:source_profile]
|
|
214
|
-
opts[:credentials] =
|
|
262
|
+
opts[:credentials] = resolve_source_profile(opts[:source_profile])
|
|
215
263
|
if opts[:credentials]
|
|
216
264
|
opts[:role_session_name] ||= prof_cfg["role_session_name"]
|
|
217
265
|
opts[:role_session_name] ||= "default_session"
|
|
218
266
|
opts[:role_arn] ||= prof_cfg["role_arn"]
|
|
267
|
+
opts[:duration_seconds] ||= prof_cfg["duration_seconds"]
|
|
219
268
|
opts[:external_id] ||= prof_cfg["external_id"]
|
|
220
269
|
opts[:serial_number] ||= prof_cfg["mfa_serial"]
|
|
221
270
|
opts[:profile] = opts.delete(:source_profile)
|
|
@@ -235,6 +284,7 @@ module Aws
|
|
|
235
284
|
opts[:role_session_name] ||= prof_cfg["role_session_name"]
|
|
236
285
|
opts[:role_session_name] ||= "default_session"
|
|
237
286
|
opts[:role_arn] ||= prof_cfg["role_arn"]
|
|
287
|
+
opts[:duration_seconds] ||= prof_cfg["duration_seconds"]
|
|
238
288
|
opts[:external_id] ||= prof_cfg["external_id"]
|
|
239
289
|
opts[:serial_number] ||= prof_cfg["mfa_serial"]
|
|
240
290
|
opts.delete(:source_profile) # Cleanup
|
|
@@ -257,6 +307,20 @@ module Aws
|
|
|
257
307
|
end
|
|
258
308
|
end
|
|
259
309
|
|
|
310
|
+
def resolve_source_profile(profile)
|
|
311
|
+
if (creds = credentials(profile: profile))
|
|
312
|
+
creds # static credentials
|
|
313
|
+
elsif (provider = assume_role_web_identity_credentials_from_config(profile))
|
|
314
|
+
if provider.credentials.set?
|
|
315
|
+
provider.credentials
|
|
316
|
+
end
|
|
317
|
+
elsif (provider = assume_role_process_credentials_from_config(profile))
|
|
318
|
+
if provider.credentials.set?
|
|
319
|
+
provider.credentials
|
|
320
|
+
end
|
|
321
|
+
end
|
|
322
|
+
end
|
|
323
|
+
|
|
260
324
|
def credentials_from_source(credential_source, config)
|
|
261
325
|
case credential_source
|
|
262
326
|
when "Ec2InstanceMetadata"
|
|
@@ -274,6 +338,11 @@ module Aws
|
|
|
274
338
|
end
|
|
275
339
|
end
|
|
276
340
|
|
|
341
|
+
def assume_role_process_credentials_from_config(profile)
|
|
342
|
+
credential_process = credentials_process(profile)
|
|
343
|
+
ProcessCredentials.new(credential_process) if credential_process
|
|
344
|
+
end
|
|
345
|
+
|
|
277
346
|
def credentials_from_shared(profile, opts)
|
|
278
347
|
if @parsed_credentials && prof_config = @parsed_credentials[profile]
|
|
279
348
|
credentials_from_profile(prof_config)
|
data/lib/aws-sdk-core.rb
CHANGED
|
@@ -9,6 +9,7 @@ require_relative 'aws-sdk-core/deprecations'
|
|
|
9
9
|
require_relative 'aws-sdk-core/credential_provider'
|
|
10
10
|
require_relative 'aws-sdk-core/refreshing_credentials'
|
|
11
11
|
require_relative 'aws-sdk-core/assume_role_credentials'
|
|
12
|
+
require_relative 'aws-sdk-core/assume_role_web_identity_credentials'
|
|
12
13
|
require_relative 'aws-sdk-core/credentials'
|
|
13
14
|
require_relative 'aws-sdk-core/credential_provider_chain'
|
|
14
15
|
require_relative 'aws-sdk-core/ecs_credentials'
|
data/lib/aws-sdk-sts/client.rb
CHANGED
|
@@ -26,6 +26,7 @@ require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
|
|
26
26
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
|
27
27
|
require 'aws-sdk-core/plugins/signature_v4.rb'
|
|
28
28
|
require 'aws-sdk-core/plugins/protocols/query.rb'
|
|
29
|
+
require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
|
|
29
30
|
|
|
30
31
|
Aws::Plugins::GlobalConfiguration.add_identifier(:sts)
|
|
31
32
|
|
|
@@ -59,6 +60,7 @@ module Aws::STS
|
|
|
59
60
|
add_plugin(Aws::Plugins::TransferEncoding)
|
|
60
61
|
add_plugin(Aws::Plugins::SignatureV4)
|
|
61
62
|
add_plugin(Aws::Plugins::Protocols::Query)
|
|
63
|
+
add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
|
|
62
64
|
|
|
63
65
|
# @overload initialize(options)
|
|
64
66
|
# @param [Hash] options
|
|
@@ -116,6 +118,10 @@ module Aws::STS
|
|
|
116
118
|
# Allows you to provide an identifier for this client which will be attached to
|
|
117
119
|
# all generated client side metrics. Defaults to an empty string.
|
|
118
120
|
#
|
|
121
|
+
# @option options [String] :client_side_monitoring_host ("127.0.0.1")
|
|
122
|
+
# Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client
|
|
123
|
+
# side monitoring agent is running on, where client metrics will be published via UDP.
|
|
124
|
+
#
|
|
119
125
|
# @option options [Integer] :client_side_monitoring_port (31000)
|
|
120
126
|
# Required for publishing client metrics. The port that the client side monitoring
|
|
121
127
|
# agent is running on, where client metrics will be published via UDP.
|
|
@@ -188,6 +194,11 @@ module Aws::STS
|
|
|
188
194
|
#
|
|
189
195
|
# @option options [String] :session_token
|
|
190
196
|
#
|
|
197
|
+
# @option options [String] :sts_regional_endpoints ("legacy")
|
|
198
|
+
# Passing in 'regional' to enable regional endpoint for STS for all supported
|
|
199
|
+
# regions (except 'aws-global'), defaults to 'legacy' mode, using global endpoint
|
|
200
|
+
# for legacy regions.
|
|
201
|
+
#
|
|
191
202
|
# @option options [Boolean] :stub_responses (false)
|
|
192
203
|
# Causes the client to return stubbed responses. By default
|
|
193
204
|
# fake responses are generated and returned. You can specify
|
|
@@ -391,8 +402,7 @@ module Aws::STS
|
|
|
391
402
|
# ARNs. However, the plain text that you use for both inline and managed
|
|
392
403
|
# session policies shouldn't exceed 2048 characters. For more
|
|
393
404
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
|
394
|
-
# Service Namespaces]
|
|
395
|
-
# the AWS General Reference.
|
|
405
|
+
# Service Namespaces][1] in the AWS General Reference.
|
|
396
406
|
#
|
|
397
407
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
|
398
408
|
# session policy guideline. However, an AWS conversion compresses the
|
|
@@ -410,11 +420,12 @@ module Aws::STS
|
|
|
410
420
|
# access resources in the account that owns the role. You cannot use
|
|
411
421
|
# session policies to grant more permissions than those allowed by the
|
|
412
422
|
# identity-based policy of the role that is being assumed. For more
|
|
413
|
-
# information, see [Session Policies][
|
|
423
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
|
414
424
|
#
|
|
415
425
|
#
|
|
416
426
|
#
|
|
417
|
-
# [1]: https://docs.aws.amazon.com/
|
|
427
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
428
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
418
429
|
#
|
|
419
430
|
# @option params [String] :policy
|
|
420
431
|
# An IAM policy in JSON format that you want to use as an inline session
|
|
@@ -711,8 +722,7 @@ module Aws::STS
|
|
|
711
722
|
# ARNs. However, the plain text that you use for both inline and managed
|
|
712
723
|
# session policies shouldn't exceed 2048 characters. For more
|
|
713
724
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
|
714
|
-
# Service Namespaces]
|
|
715
|
-
# the AWS General Reference.
|
|
725
|
+
# Service Namespaces][1] in the AWS General Reference.
|
|
716
726
|
#
|
|
717
727
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
|
718
728
|
# session policy guideline. However, an AWS conversion compresses the
|
|
@@ -730,11 +740,12 @@ module Aws::STS
|
|
|
730
740
|
# access resources in the account that owns the role. You cannot use
|
|
731
741
|
# session policies to grant more permissions than those allowed by the
|
|
732
742
|
# identity-based policy of the role that is being assumed. For more
|
|
733
|
-
# information, see [Session Policies][
|
|
743
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
|
734
744
|
#
|
|
735
745
|
#
|
|
736
746
|
#
|
|
737
|
-
# [1]: https://docs.aws.amazon.com/
|
|
747
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
748
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
738
749
|
#
|
|
739
750
|
# @option params [String] :policy
|
|
740
751
|
# An IAM policy in JSON format that you want to use as an inline session
|
|
@@ -1015,8 +1026,7 @@ module Aws::STS
|
|
|
1015
1026
|
# ARNs. However, the plain text that you use for both inline and managed
|
|
1016
1027
|
# session policies shouldn't exceed 2048 characters. For more
|
|
1017
1028
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
|
1018
|
-
# Service Namespaces]
|
|
1019
|
-
# the AWS General Reference.
|
|
1029
|
+
# Service Namespaces][1] in the AWS General Reference.
|
|
1020
1030
|
#
|
|
1021
1031
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
|
1022
1032
|
# session policy guideline. However, an AWS conversion compresses the
|
|
@@ -1034,11 +1044,12 @@ module Aws::STS
|
|
|
1034
1044
|
# access resources in the account that owns the role. You cannot use
|
|
1035
1045
|
# session policies to grant more permissions than those allowed by the
|
|
1036
1046
|
# identity-based policy of the role that is being assumed. For more
|
|
1037
|
-
# information, see [Session Policies][
|
|
1047
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
|
1038
1048
|
#
|
|
1039
1049
|
#
|
|
1040
1050
|
#
|
|
1041
|
-
# [1]: https://docs.aws.amazon.com/
|
|
1051
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
1052
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
1042
1053
|
#
|
|
1043
1054
|
# @option params [String] :policy
|
|
1044
1055
|
# An IAM policy in JSON format that you want to use as an inline session
|
|
@@ -1259,8 +1270,82 @@ module Aws::STS
|
|
|
1259
1270
|
req.send_request(options)
|
|
1260
1271
|
end
|
|
1261
1272
|
|
|
1262
|
-
# Returns
|
|
1263
|
-
#
|
|
1273
|
+
# Returns the account identifier for the specified access key ID.
|
|
1274
|
+
#
|
|
1275
|
+
# Access keys consist of two parts: an access key ID (for example,
|
|
1276
|
+
# `AKIAIOSFODNN7EXAMPLE`) and a secret access key (for example,
|
|
1277
|
+
# `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). For more information
|
|
1278
|
+
# about access keys, see [Managing Access Keys for IAM Users][1] in the
|
|
1279
|
+
# *IAM User Guide*.
|
|
1280
|
+
#
|
|
1281
|
+
# When you pass an access key ID to this operation, it returns the ID of
|
|
1282
|
+
# the AWS account to which the keys belong. Access key IDs beginning
|
|
1283
|
+
# with `AKIA` are long-term credentials for an IAM user or the AWS
|
|
1284
|
+
# account root user. Access key IDs beginning with `ASIA` are temporary
|
|
1285
|
+
# credentials that are created using STS operations. If the account in
|
|
1286
|
+
# the response belongs to you, you can sign in as the root user and
|
|
1287
|
+
# review your root user access keys. Then, you can pull a [credentials
|
|
1288
|
+
# report][2] to learn which IAM user owns the keys. To learn who
|
|
1289
|
+
# requested the temporary credentials for an `ASIA` access key, view the
|
|
1290
|
+
# STS events in your [CloudTrail logs][3].
|
|
1291
|
+
#
|
|
1292
|
+
# This operation does not indicate the state of the access key. The key
|
|
1293
|
+
# might be active, inactive, or deleted. Active keys might not have
|
|
1294
|
+
# permissions to perform an operation. Providing a deleted access key
|
|
1295
|
+
# might return an error that the key doesn't exist.
|
|
1296
|
+
#
|
|
1297
|
+
#
|
|
1298
|
+
#
|
|
1299
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
|
|
1300
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
|
|
1301
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
|
|
1302
|
+
#
|
|
1303
|
+
# @option params [required, String] :access_key_id
|
|
1304
|
+
# The identifier of an access key.
|
|
1305
|
+
#
|
|
1306
|
+
# This parameter allows (through its regex pattern) a string of
|
|
1307
|
+
# characters that can consist of any upper- or lowercased letter or
|
|
1308
|
+
# digit.
|
|
1309
|
+
#
|
|
1310
|
+
# @return [Types::GetAccessKeyInfoResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
1311
|
+
#
|
|
1312
|
+
# * {Types::GetAccessKeyInfoResponse#account #account} => String
|
|
1313
|
+
#
|
|
1314
|
+
# @example Request syntax with placeholder values
|
|
1315
|
+
#
|
|
1316
|
+
# resp = client.get_access_key_info({
|
|
1317
|
+
# access_key_id: "accessKeyIdType", # required
|
|
1318
|
+
# })
|
|
1319
|
+
#
|
|
1320
|
+
# @example Response structure
|
|
1321
|
+
#
|
|
1322
|
+
# resp.account #=> String
|
|
1323
|
+
#
|
|
1324
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo AWS API Documentation
|
|
1325
|
+
#
|
|
1326
|
+
# @overload get_access_key_info(params = {})
|
|
1327
|
+
# @param [Hash] params ({})
|
|
1328
|
+
def get_access_key_info(params = {}, options = {})
|
|
1329
|
+
req = build_request(:get_access_key_info, params)
|
|
1330
|
+
req.send_request(options)
|
|
1331
|
+
end
|
|
1332
|
+
|
|
1333
|
+
# Returns details about the IAM user or role whose credentials are used
|
|
1334
|
+
# to call the operation.
|
|
1335
|
+
#
|
|
1336
|
+
# <note markdown="1"> No permissions are required to perform this operation. If an
|
|
1337
|
+
# administrator adds a policy to your IAM user or role that explicitly
|
|
1338
|
+
# denies access to the `sts:GetCallerIdentity` action, you can still
|
|
1339
|
+
# perform this operation. Permissions are not required because the same
|
|
1340
|
+
# information is returned when an IAM user or role is denied access. To
|
|
1341
|
+
# view an example response, see [I Am Not Authorized to Perform:
|
|
1342
|
+
# iam:DeleteVirtualMFADevice][1].
|
|
1343
|
+
#
|
|
1344
|
+
# </note>
|
|
1345
|
+
#
|
|
1346
|
+
#
|
|
1347
|
+
#
|
|
1348
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
|
|
1264
1349
|
#
|
|
1265
1350
|
# @return [Types::GetCallerIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
1266
1351
|
#
|
|
@@ -1474,8 +1559,7 @@ module Aws::STS
|
|
|
1474
1559
|
# both inline and managed session policies shouldn't exceed 2048
|
|
1475
1560
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
|
1476
1561
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
|
1477
|
-
# Service Namespaces]
|
|
1478
|
-
# the AWS General Reference.
|
|
1562
|
+
# Service Namespaces][2] in the AWS General Reference.
|
|
1479
1563
|
#
|
|
1480
1564
|
# This parameter is optional. However, if you do not pass any session
|
|
1481
1565
|
# policies, then the resulting federated user session has no
|
|
@@ -1504,6 +1588,7 @@ module Aws::STS
|
|
|
1504
1588
|
#
|
|
1505
1589
|
#
|
|
1506
1590
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
1591
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
1507
1592
|
#
|
|
1508
1593
|
# @option params [Integer] :duration_seconds
|
|
1509
1594
|
# The duration, in seconds, that the session should last. Acceptable
|
|
@@ -1730,7 +1815,7 @@ module Aws::STS
|
|
|
1730
1815
|
params: params,
|
|
1731
1816
|
config: config)
|
|
1732
1817
|
context[:gem_name] = 'aws-sdk-core'
|
|
1733
|
-
context[:gem_version] = '3.
|
|
1818
|
+
context[:gem_version] = '3.75.0'
|
|
1734
1819
|
Seahorse::Client::Request.new(handlers, context)
|
|
1735
1820
|
end
|
|
1736
1821
|
|
|
@@ -24,6 +24,8 @@ module Aws::STS
|
|
|
24
24
|
DecodeAuthorizationMessageResponse = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageResponse')
|
|
25
25
|
ExpiredTokenException = Shapes::StructureShape.new(name: 'ExpiredTokenException')
|
|
26
26
|
FederatedUser = Shapes::StructureShape.new(name: 'FederatedUser')
|
|
27
|
+
GetAccessKeyInfoRequest = Shapes::StructureShape.new(name: 'GetAccessKeyInfoRequest')
|
|
28
|
+
GetAccessKeyInfoResponse = Shapes::StructureShape.new(name: 'GetAccessKeyInfoResponse')
|
|
27
29
|
GetCallerIdentityRequest = Shapes::StructureShape.new(name: 'GetCallerIdentityRequest')
|
|
28
30
|
GetCallerIdentityResponse = Shapes::StructureShape.new(name: 'GetCallerIdentityResponse')
|
|
29
31
|
GetFederationTokenRequest = Shapes::StructureShape.new(name: 'GetFederationTokenRequest')
|
|
@@ -149,6 +151,12 @@ module Aws::STS
|
|
|
149
151
|
FederatedUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
|
|
150
152
|
FederatedUser.struct_class = Types::FederatedUser
|
|
151
153
|
|
|
154
|
+
GetAccessKeyInfoRequest.add_member(:access_key_id, Shapes::ShapeRef.new(shape: accessKeyIdType, required: true, location_name: "AccessKeyId"))
|
|
155
|
+
GetAccessKeyInfoRequest.struct_class = Types::GetAccessKeyInfoRequest
|
|
156
|
+
|
|
157
|
+
GetAccessKeyInfoResponse.add_member(:account, Shapes::ShapeRef.new(shape: accountType, location_name: "Account"))
|
|
158
|
+
GetAccessKeyInfoResponse.struct_class = Types::GetAccessKeyInfoResponse
|
|
159
|
+
|
|
152
160
|
GetCallerIdentityRequest.struct_class = Types::GetCallerIdentityRequest
|
|
153
161
|
|
|
154
162
|
GetCallerIdentityResponse.add_member(:user_id, Shapes::ShapeRef.new(shape: userIdType, location_name: "UserId"))
|
|
@@ -271,6 +279,14 @@ module Aws::STS
|
|
|
271
279
|
o.errors << Shapes::ShapeRef.new(shape: InvalidAuthorizationMessageException)
|
|
272
280
|
end)
|
|
273
281
|
|
|
282
|
+
api.add_operation(:get_access_key_info, Seahorse::Model::Operation.new.tap do |o|
|
|
283
|
+
o.name = "GetAccessKeyInfo"
|
|
284
|
+
o.http_method = "POST"
|
|
285
|
+
o.http_request_uri = "/"
|
|
286
|
+
o.input = Shapes::ShapeRef.new(shape: GetAccessKeyInfoRequest)
|
|
287
|
+
o.output = Shapes::ShapeRef.new(shape: GetAccessKeyInfoResponse)
|
|
288
|
+
end)
|
|
289
|
+
|
|
274
290
|
api.add_operation(:get_caller_identity, Seahorse::Model::Operation.new.tap do |o|
|
|
275
291
|
o.name = "GetCallerIdentity"
|
|
276
292
|
o.http_method = "POST"
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module Aws
|
|
2
|
+
module STS
|
|
3
|
+
module Plugins
|
|
4
|
+
|
|
5
|
+
class STSRegionalEndpoints < Seahorse::Client::Plugin
|
|
6
|
+
|
|
7
|
+
option(:sts_regional_endpoints,
|
|
8
|
+
default: 'legacy',
|
|
9
|
+
doc_type: String,
|
|
10
|
+
docstring: <<-DOCS) do |cfg|
|
|
11
|
+
Passing in 'regional' to enable regional endpoint for STS for all supported
|
|
12
|
+
regions (except 'aws-global'), defaults to 'legacy' mode, using global endpoint
|
|
13
|
+
for legacy regions.
|
|
14
|
+
DOCS
|
|
15
|
+
resolve_sts_regional_endpoints(cfg)
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
private
|
|
19
|
+
|
|
20
|
+
def self.resolve_sts_regional_endpoints(cfg)
|
|
21
|
+
env_mode = ENV['AWS_STS_REGIONAL_ENDPOINTS']
|
|
22
|
+
env_mode = nil if env_mode == ''
|
|
23
|
+
cfg_mode = Aws.shared_config.sts_regional_endpoints(
|
|
24
|
+
profile: cfg.profile)
|
|
25
|
+
env_mode || cfg_mode || 'legacy'
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
data/lib/aws-sdk-sts/types.rb
CHANGED
|
@@ -57,8 +57,7 @@ module Aws::STS
|
|
|
57
57
|
# ARNs. However, the plain text that you use for both inline and
|
|
58
58
|
# managed session policies shouldn't exceed 2048 characters. For more
|
|
59
59
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
|
60
|
-
# Service Namespaces]
|
|
61
|
-
# in the AWS General Reference.
|
|
60
|
+
# Service Namespaces][1] in the AWS General Reference.
|
|
62
61
|
#
|
|
63
62
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
|
64
63
|
# session policy guideline. However, an AWS conversion compresses the
|
|
@@ -77,11 +76,12 @@ module Aws::STS
|
|
|
77
76
|
# owns the role. You cannot use session policies to grant more
|
|
78
77
|
# permissions than those allowed by the identity-based policy of the
|
|
79
78
|
# role that is being assumed. For more information, see [Session
|
|
80
|
-
# Policies][
|
|
79
|
+
# Policies][2] in the *IAM User Guide*.
|
|
81
80
|
#
|
|
82
81
|
#
|
|
83
82
|
#
|
|
84
|
-
# [1]: https://docs.aws.amazon.com/
|
|
83
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
84
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
85
85
|
# @return [Array<Types::PolicyDescriptorType>]
|
|
86
86
|
#
|
|
87
87
|
# @!attribute [rw] policy
|
|
@@ -297,8 +297,7 @@ module Aws::STS
|
|
|
297
297
|
# ARNs. However, the plain text that you use for both inline and
|
|
298
298
|
# managed session policies shouldn't exceed 2048 characters. For more
|
|
299
299
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
|
300
|
-
# Service Namespaces]
|
|
301
|
-
# in the AWS General Reference.
|
|
300
|
+
# Service Namespaces][1] in the AWS General Reference.
|
|
302
301
|
#
|
|
303
302
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
|
304
303
|
# session policy guideline. However, an AWS conversion compresses the
|
|
@@ -317,11 +316,12 @@ module Aws::STS
|
|
|
317
316
|
# owns the role. You cannot use session policies to grant more
|
|
318
317
|
# permissions than those allowed by the identity-based policy of the
|
|
319
318
|
# role that is being assumed. For more information, see [Session
|
|
320
|
-
# Policies][
|
|
319
|
+
# Policies][2] in the *IAM User Guide*.
|
|
321
320
|
#
|
|
322
321
|
#
|
|
323
322
|
#
|
|
324
|
-
# [1]: https://docs.aws.amazon.com/
|
|
323
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
324
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
325
325
|
# @return [Array<Types::PolicyDescriptorType>]
|
|
326
326
|
#
|
|
327
327
|
# @!attribute [rw] policy
|
|
@@ -548,8 +548,7 @@ module Aws::STS
|
|
|
548
548
|
# ARNs. However, the plain text that you use for both inline and
|
|
549
549
|
# managed session policies shouldn't exceed 2048 characters. For more
|
|
550
550
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
|
551
|
-
# Service Namespaces]
|
|
552
|
-
# in the AWS General Reference.
|
|
551
|
+
# Service Namespaces][1] in the AWS General Reference.
|
|
553
552
|
#
|
|
554
553
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
|
555
554
|
# session policy guideline. However, an AWS conversion compresses the
|
|
@@ -568,11 +567,12 @@ module Aws::STS
|
|
|
568
567
|
# owns the role. You cannot use session policies to grant more
|
|
569
568
|
# permissions than those allowed by the identity-based policy of the
|
|
570
569
|
# role that is being assumed. For more information, see [Session
|
|
571
|
-
# Policies][
|
|
570
|
+
# Policies][2] in the *IAM User Guide*.
|
|
572
571
|
#
|
|
573
572
|
#
|
|
574
573
|
#
|
|
575
|
-
# [1]: https://docs.aws.amazon.com/
|
|
574
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
575
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
576
576
|
# @return [Array<Types::PolicyDescriptorType>]
|
|
577
577
|
#
|
|
578
578
|
# @!attribute [rw] policy
|
|
@@ -848,6 +848,39 @@ module Aws::STS
|
|
|
848
848
|
include Aws::Structure
|
|
849
849
|
end
|
|
850
850
|
|
|
851
|
+
# @note When making an API call, you may pass GetAccessKeyInfoRequest
|
|
852
|
+
# data as a hash:
|
|
853
|
+
#
|
|
854
|
+
# {
|
|
855
|
+
# access_key_id: "accessKeyIdType", # required
|
|
856
|
+
# }
|
|
857
|
+
#
|
|
858
|
+
# @!attribute [rw] access_key_id
|
|
859
|
+
# The identifier of an access key.
|
|
860
|
+
#
|
|
861
|
+
# This parameter allows (through its regex pattern) a string of
|
|
862
|
+
# characters that can consist of any upper- or lowercased letter or
|
|
863
|
+
# digit.
|
|
864
|
+
# @return [String]
|
|
865
|
+
#
|
|
866
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoRequest AWS API Documentation
|
|
867
|
+
#
|
|
868
|
+
class GetAccessKeyInfoRequest < Struct.new(
|
|
869
|
+
:access_key_id)
|
|
870
|
+
include Aws::Structure
|
|
871
|
+
end
|
|
872
|
+
|
|
873
|
+
# @!attribute [rw] account
|
|
874
|
+
# The number used to identify the AWS account.
|
|
875
|
+
# @return [String]
|
|
876
|
+
#
|
|
877
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoResponse AWS API Documentation
|
|
878
|
+
#
|
|
879
|
+
class GetAccessKeyInfoResponse < Struct.new(
|
|
880
|
+
:account)
|
|
881
|
+
include Aws::Structure
|
|
882
|
+
end
|
|
883
|
+
|
|
851
884
|
# @api private
|
|
852
885
|
#
|
|
853
886
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityRequest AWS API Documentation
|
|
@@ -971,9 +1004,7 @@ module Aws::STS
|
|
|
971
1004
|
# use for both inline and managed session policies shouldn't exceed
|
|
972
1005
|
# 2048 characters. You can provide up to 10 managed policy ARNs. For
|
|
973
1006
|
# more information about ARNs, see [Amazon Resource Names (ARNs) and
|
|
974
|
-
# AWS Service
|
|
975
|
-
# Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in the
|
|
976
|
-
# AWS General Reference.
|
|
1007
|
+
# AWS Service Namespaces][2] in the AWS General Reference.
|
|
977
1008
|
#
|
|
978
1009
|
# This parameter is optional. However, if you do not pass any session
|
|
979
1010
|
# policies, then the resulting federated user session has no
|
|
@@ -1002,6 +1033,7 @@ module Aws::STS
|
|
|
1002
1033
|
#
|
|
1003
1034
|
#
|
|
1004
1035
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
|
1036
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
1005
1037
|
# @return [Array<Types::PolicyDescriptorType>]
|
|
1006
1038
|
#
|
|
1007
1039
|
# @!attribute [rw] duration_seconds
|
|
@@ -1173,7 +1205,7 @@ module Aws::STS
|
|
|
1173
1205
|
include Aws::Structure
|
|
1174
1206
|
end
|
|
1175
1207
|
|
|
1176
|
-
#
|
|
1208
|
+
# This error is returned if the message passed to
|
|
1177
1209
|
# `DecodeAuthorizationMessage` was invalid. This can happen if the token
|
|
1178
1210
|
# contains invalid characters, such as linebreaks.
|
|
1179
1211
|
#
|
|
@@ -1241,9 +1273,12 @@ module Aws::STS
|
|
|
1241
1273
|
# @!attribute [rw] arn
|
|
1242
1274
|
# The Amazon Resource Name (ARN) of the IAM managed policy to use as a
|
|
1243
1275
|
# session policy for the role. For more information about ARNs, see
|
|
1244
|
-
# [Amazon Resource Names (ARNs) and AWS Service
|
|
1245
|
-
# Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in the
|
|
1276
|
+
# [Amazon Resource Names (ARNs) and AWS Service Namespaces][1] in the
|
|
1246
1277
|
# *AWS General Reference*.
|
|
1278
|
+
#
|
|
1279
|
+
#
|
|
1280
|
+
#
|
|
1281
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
|
1247
1282
|
# @return [String]
|
|
1248
1283
|
#
|
|
1249
1284
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/PolicyDescriptorType AWS API Documentation
|
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/seahorse/client/base.rb
CHANGED
|
@@ -194,13 +194,15 @@ module Seahorse
|
|
|
194
194
|
private
|
|
195
195
|
|
|
196
196
|
def define_operation_methods
|
|
197
|
+
operations_module = Module.new
|
|
197
198
|
@api.operation_names.each do |method_name|
|
|
198
|
-
define_method
|
|
199
|
+
operations_module.send(:define_method, method_name) do |*args, &block|
|
|
199
200
|
params = args[0] || {}
|
|
200
201
|
options = args[1] || {}
|
|
201
202
|
build_request(method_name, params).send_request(options, &block)
|
|
202
203
|
end
|
|
203
204
|
end
|
|
205
|
+
include(operations_module)
|
|
204
206
|
end
|
|
205
207
|
|
|
206
208
|
def build_plugins
|
|
@@ -77,8 +77,8 @@ module Seahorse
|
|
|
77
77
|
if options.key?(name)
|
|
78
78
|
options[name]
|
|
79
79
|
else
|
|
80
|
-
msg = "
|
|
81
|
-
raise ArgumentError, msg %
|
|
80
|
+
msg = "missing option: `%s'"
|
|
81
|
+
raise ArgumentError, msg % name.inspect
|
|
82
82
|
end
|
|
83
83
|
end
|
|
84
84
|
|