aws-sdk-core 3.54.2 → 3.75.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +101 -0
- data/lib/aws-sdk-core/client_side_monitoring/publisher.rb +9 -1
- data/lib/aws-sdk-core/credential_provider.rb +0 -31
- data/lib/aws-sdk-core/credential_provider_chain.rb +29 -18
- data/lib/aws-sdk-core/deprecations.rb +16 -10
- data/lib/aws-sdk-core/endpoint_cache.rb +14 -11
- data/lib/aws-sdk-core/errors.rb +12 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +3 -2
- data/lib/aws-sdk-core/json.rb +5 -5
- data/lib/aws-sdk-core/log/param_filter.rb +1 -1
- data/lib/aws-sdk-core/param_validator.rb +4 -5
- data/lib/aws-sdk-core/plugins/client_metrics_plugin.rb +24 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +3 -1
- data/lib/aws-sdk-core/plugins/retry_errors.rb +7 -3
- data/lib/aws-sdk-core/process_credentials.rb +3 -3
- data/lib/aws-sdk-core/shared_config.rb +74 -5
- data/lib/aws-sdk-core.rb +1 -0
- data/lib/aws-sdk-sts/client.rb +102 -17
- data/lib/aws-sdk-sts/client_api.rb +16 -0
- data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +32 -0
- data/lib/aws-sdk-sts/types.rb +53 -18
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/seahorse/client/base.rb +3 -1
- data/lib/seahorse/client/handler_list_entry.rb +2 -2
- data/lib/seahorse/client/plugin.rb +1 -1
- metadata +12 -4
@@ -99,12 +99,10 @@ module Aws
|
|
99
99
|
def credentials(opts = {})
|
100
100
|
p = opts[:profile] || @profile_name
|
101
101
|
validate_profile_exists(p) if credentials_present?
|
102
|
-
if credentials = credentials_from_shared(p, opts)
|
102
|
+
if (credentials = credentials_from_shared(p, opts))
|
103
103
|
credentials
|
104
|
-
elsif credentials = credentials_from_config(p, opts)
|
104
|
+
elsif (credentials = credentials_from_config(p, opts))
|
105
105
|
credentials
|
106
|
-
else
|
107
|
-
nil
|
108
106
|
end
|
109
107
|
end
|
110
108
|
|
@@ -121,6 +119,25 @@ module Aws
|
|
121
119
|
credentials
|
122
120
|
end
|
123
121
|
|
122
|
+
def assume_role_web_identity_credentials_from_config(profile)
|
123
|
+
p = profile || @profile_name
|
124
|
+
if @config_enabled && @parsed_config
|
125
|
+
entry = @parsed_config.fetch(p, {})
|
126
|
+
if entry['web_identity_token_file'] &&
|
127
|
+
entry['role_arn']
|
128
|
+
AssumeRoleWebIdentityCredentials.new(
|
129
|
+
role_arn: entry['role_arn'],
|
130
|
+
web_identity_token_file: entry['web_identity_token_file'],
|
131
|
+
role_session_name: entry['role_session_name']
|
132
|
+
)
|
133
|
+
else
|
134
|
+
nil
|
135
|
+
end
|
136
|
+
else
|
137
|
+
nil
|
138
|
+
end
|
139
|
+
end
|
140
|
+
|
124
141
|
def region(opts = {})
|
125
142
|
p = opts[:profile] || @profile_name
|
126
143
|
if @config_enabled
|
@@ -136,6 +153,21 @@ module Aws
|
|
136
153
|
end
|
137
154
|
end
|
138
155
|
|
156
|
+
def sts_regional_endpoints(opts = {})
|
157
|
+
p = opts[:profile] || @profile_name
|
158
|
+
if @config_enabled
|
159
|
+
if @parsed_credentials
|
160
|
+
mode = @parsed_credentials.fetch(p, {})["sts_regional_endpoints"]
|
161
|
+
end
|
162
|
+
if @parsed_config
|
163
|
+
mode ||= @parsed_config.fetch(p, {})["sts_regional_endpoints"]
|
164
|
+
end
|
165
|
+
mode
|
166
|
+
else
|
167
|
+
nil
|
168
|
+
end
|
169
|
+
end
|
170
|
+
|
139
171
|
def endpoint_discovery(opts = {})
|
140
172
|
p = opts[:profile] || @profile_name
|
141
173
|
if @config_enabled && @parsed_config
|
@@ -193,7 +225,23 @@ module Aws
|
|
193
225
|
end
|
194
226
|
end
|
195
227
|
|
228
|
+
def csm_host(opts = {})
|
229
|
+
p = opts[:profile] || @profile_name
|
230
|
+
if @config_enabled
|
231
|
+
if @parsed_credentials
|
232
|
+
value = @parsed_credentials.fetch(p, {})["csm_host"]
|
233
|
+
end
|
234
|
+
if @parsed_config
|
235
|
+
value ||= @parsed_config.fetch(p, {})["csm_host"]
|
236
|
+
end
|
237
|
+
value
|
238
|
+
else
|
239
|
+
nil
|
240
|
+
end
|
241
|
+
end
|
242
|
+
|
196
243
|
private
|
244
|
+
|
197
245
|
def credentials_present?
|
198
246
|
(@parsed_credentials && !@parsed_credentials.empty?) ||
|
199
247
|
(@parsed_config && !@parsed_config.empty?)
|
@@ -211,11 +259,12 @@ module Aws
|
|
211
259
|
"provide only source_profile or credential_source, not both."
|
212
260
|
)
|
213
261
|
elsif opts[:source_profile]
|
214
|
-
opts[:credentials] =
|
262
|
+
opts[:credentials] = resolve_source_profile(opts[:source_profile])
|
215
263
|
if opts[:credentials]
|
216
264
|
opts[:role_session_name] ||= prof_cfg["role_session_name"]
|
217
265
|
opts[:role_session_name] ||= "default_session"
|
218
266
|
opts[:role_arn] ||= prof_cfg["role_arn"]
|
267
|
+
opts[:duration_seconds] ||= prof_cfg["duration_seconds"]
|
219
268
|
opts[:external_id] ||= prof_cfg["external_id"]
|
220
269
|
opts[:serial_number] ||= prof_cfg["mfa_serial"]
|
221
270
|
opts[:profile] = opts.delete(:source_profile)
|
@@ -235,6 +284,7 @@ module Aws
|
|
235
284
|
opts[:role_session_name] ||= prof_cfg["role_session_name"]
|
236
285
|
opts[:role_session_name] ||= "default_session"
|
237
286
|
opts[:role_arn] ||= prof_cfg["role_arn"]
|
287
|
+
opts[:duration_seconds] ||= prof_cfg["duration_seconds"]
|
238
288
|
opts[:external_id] ||= prof_cfg["external_id"]
|
239
289
|
opts[:serial_number] ||= prof_cfg["mfa_serial"]
|
240
290
|
opts.delete(:source_profile) # Cleanup
|
@@ -257,6 +307,20 @@ module Aws
|
|
257
307
|
end
|
258
308
|
end
|
259
309
|
|
310
|
+
def resolve_source_profile(profile)
|
311
|
+
if (creds = credentials(profile: profile))
|
312
|
+
creds # static credentials
|
313
|
+
elsif (provider = assume_role_web_identity_credentials_from_config(profile))
|
314
|
+
if provider.credentials.set?
|
315
|
+
provider.credentials
|
316
|
+
end
|
317
|
+
elsif (provider = assume_role_process_credentials_from_config(profile))
|
318
|
+
if provider.credentials.set?
|
319
|
+
provider.credentials
|
320
|
+
end
|
321
|
+
end
|
322
|
+
end
|
323
|
+
|
260
324
|
def credentials_from_source(credential_source, config)
|
261
325
|
case credential_source
|
262
326
|
when "Ec2InstanceMetadata"
|
@@ -274,6 +338,11 @@ module Aws
|
|
274
338
|
end
|
275
339
|
end
|
276
340
|
|
341
|
+
def assume_role_process_credentials_from_config(profile)
|
342
|
+
credential_process = credentials_process(profile)
|
343
|
+
ProcessCredentials.new(credential_process) if credential_process
|
344
|
+
end
|
345
|
+
|
277
346
|
def credentials_from_shared(profile, opts)
|
278
347
|
if @parsed_credentials && prof_config = @parsed_credentials[profile]
|
279
348
|
credentials_from_profile(prof_config)
|
data/lib/aws-sdk-core.rb
CHANGED
@@ -9,6 +9,7 @@ require_relative 'aws-sdk-core/deprecations'
|
|
9
9
|
require_relative 'aws-sdk-core/credential_provider'
|
10
10
|
require_relative 'aws-sdk-core/refreshing_credentials'
|
11
11
|
require_relative 'aws-sdk-core/assume_role_credentials'
|
12
|
+
require_relative 'aws-sdk-core/assume_role_web_identity_credentials'
|
12
13
|
require_relative 'aws-sdk-core/credentials'
|
13
14
|
require_relative 'aws-sdk-core/credential_provider_chain'
|
14
15
|
require_relative 'aws-sdk-core/ecs_credentials'
|
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -26,6 +26,7 @@ require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
|
26
26
|
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
27
27
|
require 'aws-sdk-core/plugins/signature_v4.rb'
|
28
28
|
require 'aws-sdk-core/plugins/protocols/query.rb'
|
29
|
+
require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
|
29
30
|
|
30
31
|
Aws::Plugins::GlobalConfiguration.add_identifier(:sts)
|
31
32
|
|
@@ -59,6 +60,7 @@ module Aws::STS
|
|
59
60
|
add_plugin(Aws::Plugins::TransferEncoding)
|
60
61
|
add_plugin(Aws::Plugins::SignatureV4)
|
61
62
|
add_plugin(Aws::Plugins::Protocols::Query)
|
63
|
+
add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
|
62
64
|
|
63
65
|
# @overload initialize(options)
|
64
66
|
# @param [Hash] options
|
@@ -116,6 +118,10 @@ module Aws::STS
|
|
116
118
|
# Allows you to provide an identifier for this client which will be attached to
|
117
119
|
# all generated client side metrics. Defaults to an empty string.
|
118
120
|
#
|
121
|
+
# @option options [String] :client_side_monitoring_host ("127.0.0.1")
|
122
|
+
# Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client
|
123
|
+
# side monitoring agent is running on, where client metrics will be published via UDP.
|
124
|
+
#
|
119
125
|
# @option options [Integer] :client_side_monitoring_port (31000)
|
120
126
|
# Required for publishing client metrics. The port that the client side monitoring
|
121
127
|
# agent is running on, where client metrics will be published via UDP.
|
@@ -188,6 +194,11 @@ module Aws::STS
|
|
188
194
|
#
|
189
195
|
# @option options [String] :session_token
|
190
196
|
#
|
197
|
+
# @option options [String] :sts_regional_endpoints ("legacy")
|
198
|
+
# Passing in 'regional' to enable regional endpoint for STS for all supported
|
199
|
+
# regions (except 'aws-global'), defaults to 'legacy' mode, using global endpoint
|
200
|
+
# for legacy regions.
|
201
|
+
#
|
191
202
|
# @option options [Boolean] :stub_responses (false)
|
192
203
|
# Causes the client to return stubbed responses. By default
|
193
204
|
# fake responses are generated and returned. You can specify
|
@@ -391,8 +402,7 @@ module Aws::STS
|
|
391
402
|
# ARNs. However, the plain text that you use for both inline and managed
|
392
403
|
# session policies shouldn't exceed 2048 characters. For more
|
393
404
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
394
|
-
# Service Namespaces]
|
395
|
-
# the AWS General Reference.
|
405
|
+
# Service Namespaces][1] in the AWS General Reference.
|
396
406
|
#
|
397
407
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
398
408
|
# session policy guideline. However, an AWS conversion compresses the
|
@@ -410,11 +420,12 @@ module Aws::STS
|
|
410
420
|
# access resources in the account that owns the role. You cannot use
|
411
421
|
# session policies to grant more permissions than those allowed by the
|
412
422
|
# identity-based policy of the role that is being assumed. For more
|
413
|
-
# information, see [Session Policies][
|
423
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
414
424
|
#
|
415
425
|
#
|
416
426
|
#
|
417
|
-
# [1]: https://docs.aws.amazon.com/
|
427
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
428
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
418
429
|
#
|
419
430
|
# @option params [String] :policy
|
420
431
|
# An IAM policy in JSON format that you want to use as an inline session
|
@@ -711,8 +722,7 @@ module Aws::STS
|
|
711
722
|
# ARNs. However, the plain text that you use for both inline and managed
|
712
723
|
# session policies shouldn't exceed 2048 characters. For more
|
713
724
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
714
|
-
# Service Namespaces]
|
715
|
-
# the AWS General Reference.
|
725
|
+
# Service Namespaces][1] in the AWS General Reference.
|
716
726
|
#
|
717
727
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
718
728
|
# session policy guideline. However, an AWS conversion compresses the
|
@@ -730,11 +740,12 @@ module Aws::STS
|
|
730
740
|
# access resources in the account that owns the role. You cannot use
|
731
741
|
# session policies to grant more permissions than those allowed by the
|
732
742
|
# identity-based policy of the role that is being assumed. For more
|
733
|
-
# information, see [Session Policies][
|
743
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
734
744
|
#
|
735
745
|
#
|
736
746
|
#
|
737
|
-
# [1]: https://docs.aws.amazon.com/
|
747
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
748
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
738
749
|
#
|
739
750
|
# @option params [String] :policy
|
740
751
|
# An IAM policy in JSON format that you want to use as an inline session
|
@@ -1015,8 +1026,7 @@ module Aws::STS
|
|
1015
1026
|
# ARNs. However, the plain text that you use for both inline and managed
|
1016
1027
|
# session policies shouldn't exceed 2048 characters. For more
|
1017
1028
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
1018
|
-
# Service Namespaces]
|
1019
|
-
# the AWS General Reference.
|
1029
|
+
# Service Namespaces][1] in the AWS General Reference.
|
1020
1030
|
#
|
1021
1031
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
1022
1032
|
# session policy guideline. However, an AWS conversion compresses the
|
@@ -1034,11 +1044,12 @@ module Aws::STS
|
|
1034
1044
|
# access resources in the account that owns the role. You cannot use
|
1035
1045
|
# session policies to grant more permissions than those allowed by the
|
1036
1046
|
# identity-based policy of the role that is being assumed. For more
|
1037
|
-
# information, see [Session Policies][
|
1047
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
1038
1048
|
#
|
1039
1049
|
#
|
1040
1050
|
#
|
1041
|
-
# [1]: https://docs.aws.amazon.com/
|
1051
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
1052
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1042
1053
|
#
|
1043
1054
|
# @option params [String] :policy
|
1044
1055
|
# An IAM policy in JSON format that you want to use as an inline session
|
@@ -1259,8 +1270,82 @@ module Aws::STS
|
|
1259
1270
|
req.send_request(options)
|
1260
1271
|
end
|
1261
1272
|
|
1262
|
-
# Returns
|
1263
|
-
#
|
1273
|
+
# Returns the account identifier for the specified access key ID.
|
1274
|
+
#
|
1275
|
+
# Access keys consist of two parts: an access key ID (for example,
|
1276
|
+
# `AKIAIOSFODNN7EXAMPLE`) and a secret access key (for example,
|
1277
|
+
# `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). For more information
|
1278
|
+
# about access keys, see [Managing Access Keys for IAM Users][1] in the
|
1279
|
+
# *IAM User Guide*.
|
1280
|
+
#
|
1281
|
+
# When you pass an access key ID to this operation, it returns the ID of
|
1282
|
+
# the AWS account to which the keys belong. Access key IDs beginning
|
1283
|
+
# with `AKIA` are long-term credentials for an IAM user or the AWS
|
1284
|
+
# account root user. Access key IDs beginning with `ASIA` are temporary
|
1285
|
+
# credentials that are created using STS operations. If the account in
|
1286
|
+
# the response belongs to you, you can sign in as the root user and
|
1287
|
+
# review your root user access keys. Then, you can pull a [credentials
|
1288
|
+
# report][2] to learn which IAM user owns the keys. To learn who
|
1289
|
+
# requested the temporary credentials for an `ASIA` access key, view the
|
1290
|
+
# STS events in your [CloudTrail logs][3].
|
1291
|
+
#
|
1292
|
+
# This operation does not indicate the state of the access key. The key
|
1293
|
+
# might be active, inactive, or deleted. Active keys might not have
|
1294
|
+
# permissions to perform an operation. Providing a deleted access key
|
1295
|
+
# might return an error that the key doesn't exist.
|
1296
|
+
#
|
1297
|
+
#
|
1298
|
+
#
|
1299
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
|
1300
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
|
1301
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
|
1302
|
+
#
|
1303
|
+
# @option params [required, String] :access_key_id
|
1304
|
+
# The identifier of an access key.
|
1305
|
+
#
|
1306
|
+
# This parameter allows (through its regex pattern) a string of
|
1307
|
+
# characters that can consist of any upper- or lowercased letter or
|
1308
|
+
# digit.
|
1309
|
+
#
|
1310
|
+
# @return [Types::GetAccessKeyInfoResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1311
|
+
#
|
1312
|
+
# * {Types::GetAccessKeyInfoResponse#account #account} => String
|
1313
|
+
#
|
1314
|
+
# @example Request syntax with placeholder values
|
1315
|
+
#
|
1316
|
+
# resp = client.get_access_key_info({
|
1317
|
+
# access_key_id: "accessKeyIdType", # required
|
1318
|
+
# })
|
1319
|
+
#
|
1320
|
+
# @example Response structure
|
1321
|
+
#
|
1322
|
+
# resp.account #=> String
|
1323
|
+
#
|
1324
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo AWS API Documentation
|
1325
|
+
#
|
1326
|
+
# @overload get_access_key_info(params = {})
|
1327
|
+
# @param [Hash] params ({})
|
1328
|
+
def get_access_key_info(params = {}, options = {})
|
1329
|
+
req = build_request(:get_access_key_info, params)
|
1330
|
+
req.send_request(options)
|
1331
|
+
end
|
1332
|
+
|
1333
|
+
# Returns details about the IAM user or role whose credentials are used
|
1334
|
+
# to call the operation.
|
1335
|
+
#
|
1336
|
+
# <note markdown="1"> No permissions are required to perform this operation. If an
|
1337
|
+
# administrator adds a policy to your IAM user or role that explicitly
|
1338
|
+
# denies access to the `sts:GetCallerIdentity` action, you can still
|
1339
|
+
# perform this operation. Permissions are not required because the same
|
1340
|
+
# information is returned when an IAM user or role is denied access. To
|
1341
|
+
# view an example response, see [I Am Not Authorized to Perform:
|
1342
|
+
# iam:DeleteVirtualMFADevice][1].
|
1343
|
+
#
|
1344
|
+
# </note>
|
1345
|
+
#
|
1346
|
+
#
|
1347
|
+
#
|
1348
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
|
1264
1349
|
#
|
1265
1350
|
# @return [Types::GetCallerIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1266
1351
|
#
|
@@ -1474,8 +1559,7 @@ module Aws::STS
|
|
1474
1559
|
# both inline and managed session policies shouldn't exceed 2048
|
1475
1560
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
1476
1561
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
1477
|
-
# Service Namespaces]
|
1478
|
-
# the AWS General Reference.
|
1562
|
+
# Service Namespaces][2] in the AWS General Reference.
|
1479
1563
|
#
|
1480
1564
|
# This parameter is optional. However, if you do not pass any session
|
1481
1565
|
# policies, then the resulting federated user session has no
|
@@ -1504,6 +1588,7 @@ module Aws::STS
|
|
1504
1588
|
#
|
1505
1589
|
#
|
1506
1590
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1591
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
1507
1592
|
#
|
1508
1593
|
# @option params [Integer] :duration_seconds
|
1509
1594
|
# The duration, in seconds, that the session should last. Acceptable
|
@@ -1730,7 +1815,7 @@ module Aws::STS
|
|
1730
1815
|
params: params,
|
1731
1816
|
config: config)
|
1732
1817
|
context[:gem_name] = 'aws-sdk-core'
|
1733
|
-
context[:gem_version] = '3.
|
1818
|
+
context[:gem_version] = '3.75.0'
|
1734
1819
|
Seahorse::Client::Request.new(handlers, context)
|
1735
1820
|
end
|
1736
1821
|
|
@@ -24,6 +24,8 @@ module Aws::STS
|
|
24
24
|
DecodeAuthorizationMessageResponse = Shapes::StructureShape.new(name: 'DecodeAuthorizationMessageResponse')
|
25
25
|
ExpiredTokenException = Shapes::StructureShape.new(name: 'ExpiredTokenException')
|
26
26
|
FederatedUser = Shapes::StructureShape.new(name: 'FederatedUser')
|
27
|
+
GetAccessKeyInfoRequest = Shapes::StructureShape.new(name: 'GetAccessKeyInfoRequest')
|
28
|
+
GetAccessKeyInfoResponse = Shapes::StructureShape.new(name: 'GetAccessKeyInfoResponse')
|
27
29
|
GetCallerIdentityRequest = Shapes::StructureShape.new(name: 'GetCallerIdentityRequest')
|
28
30
|
GetCallerIdentityResponse = Shapes::StructureShape.new(name: 'GetCallerIdentityResponse')
|
29
31
|
GetFederationTokenRequest = Shapes::StructureShape.new(name: 'GetFederationTokenRequest')
|
@@ -149,6 +151,12 @@ module Aws::STS
|
|
149
151
|
FederatedUser.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
|
150
152
|
FederatedUser.struct_class = Types::FederatedUser
|
151
153
|
|
154
|
+
GetAccessKeyInfoRequest.add_member(:access_key_id, Shapes::ShapeRef.new(shape: accessKeyIdType, required: true, location_name: "AccessKeyId"))
|
155
|
+
GetAccessKeyInfoRequest.struct_class = Types::GetAccessKeyInfoRequest
|
156
|
+
|
157
|
+
GetAccessKeyInfoResponse.add_member(:account, Shapes::ShapeRef.new(shape: accountType, location_name: "Account"))
|
158
|
+
GetAccessKeyInfoResponse.struct_class = Types::GetAccessKeyInfoResponse
|
159
|
+
|
152
160
|
GetCallerIdentityRequest.struct_class = Types::GetCallerIdentityRequest
|
153
161
|
|
154
162
|
GetCallerIdentityResponse.add_member(:user_id, Shapes::ShapeRef.new(shape: userIdType, location_name: "UserId"))
|
@@ -271,6 +279,14 @@ module Aws::STS
|
|
271
279
|
o.errors << Shapes::ShapeRef.new(shape: InvalidAuthorizationMessageException)
|
272
280
|
end)
|
273
281
|
|
282
|
+
api.add_operation(:get_access_key_info, Seahorse::Model::Operation.new.tap do |o|
|
283
|
+
o.name = "GetAccessKeyInfo"
|
284
|
+
o.http_method = "POST"
|
285
|
+
o.http_request_uri = "/"
|
286
|
+
o.input = Shapes::ShapeRef.new(shape: GetAccessKeyInfoRequest)
|
287
|
+
o.output = Shapes::ShapeRef.new(shape: GetAccessKeyInfoResponse)
|
288
|
+
end)
|
289
|
+
|
274
290
|
api.add_operation(:get_caller_identity, Seahorse::Model::Operation.new.tap do |o|
|
275
291
|
o.name = "GetCallerIdentity"
|
276
292
|
o.http_method = "POST"
|
@@ -0,0 +1,32 @@
|
|
1
|
+
module Aws
|
2
|
+
module STS
|
3
|
+
module Plugins
|
4
|
+
|
5
|
+
class STSRegionalEndpoints < Seahorse::Client::Plugin
|
6
|
+
|
7
|
+
option(:sts_regional_endpoints,
|
8
|
+
default: 'legacy',
|
9
|
+
doc_type: String,
|
10
|
+
docstring: <<-DOCS) do |cfg|
|
11
|
+
Passing in 'regional' to enable regional endpoint for STS for all supported
|
12
|
+
regions (except 'aws-global'), defaults to 'legacy' mode, using global endpoint
|
13
|
+
for legacy regions.
|
14
|
+
DOCS
|
15
|
+
resolve_sts_regional_endpoints(cfg)
|
16
|
+
end
|
17
|
+
|
18
|
+
private
|
19
|
+
|
20
|
+
def self.resolve_sts_regional_endpoints(cfg)
|
21
|
+
env_mode = ENV['AWS_STS_REGIONAL_ENDPOINTS']
|
22
|
+
env_mode = nil if env_mode == ''
|
23
|
+
cfg_mode = Aws.shared_config.sts_regional_endpoints(
|
24
|
+
profile: cfg.profile)
|
25
|
+
env_mode || cfg_mode || 'legacy'
|
26
|
+
end
|
27
|
+
|
28
|
+
end
|
29
|
+
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -57,8 +57,7 @@ module Aws::STS
|
|
57
57
|
# ARNs. However, the plain text that you use for both inline and
|
58
58
|
# managed session policies shouldn't exceed 2048 characters. For more
|
59
59
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
60
|
-
# Service Namespaces]
|
61
|
-
# in the AWS General Reference.
|
60
|
+
# Service Namespaces][1] in the AWS General Reference.
|
62
61
|
#
|
63
62
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
64
63
|
# session policy guideline. However, an AWS conversion compresses the
|
@@ -77,11 +76,12 @@ module Aws::STS
|
|
77
76
|
# owns the role. You cannot use session policies to grant more
|
78
77
|
# permissions than those allowed by the identity-based policy of the
|
79
78
|
# role that is being assumed. For more information, see [Session
|
80
|
-
# Policies][
|
79
|
+
# Policies][2] in the *IAM User Guide*.
|
81
80
|
#
|
82
81
|
#
|
83
82
|
#
|
84
|
-
# [1]: https://docs.aws.amazon.com/
|
83
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
84
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
85
85
|
# @return [Array<Types::PolicyDescriptorType>]
|
86
86
|
#
|
87
87
|
# @!attribute [rw] policy
|
@@ -297,8 +297,7 @@ module Aws::STS
|
|
297
297
|
# ARNs. However, the plain text that you use for both inline and
|
298
298
|
# managed session policies shouldn't exceed 2048 characters. For more
|
299
299
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
300
|
-
# Service Namespaces]
|
301
|
-
# in the AWS General Reference.
|
300
|
+
# Service Namespaces][1] in the AWS General Reference.
|
302
301
|
#
|
303
302
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
304
303
|
# session policy guideline. However, an AWS conversion compresses the
|
@@ -317,11 +316,12 @@ module Aws::STS
|
|
317
316
|
# owns the role. You cannot use session policies to grant more
|
318
317
|
# permissions than those allowed by the identity-based policy of the
|
319
318
|
# role that is being assumed. For more information, see [Session
|
320
|
-
# Policies][
|
319
|
+
# Policies][2] in the *IAM User Guide*.
|
321
320
|
#
|
322
321
|
#
|
323
322
|
#
|
324
|
-
# [1]: https://docs.aws.amazon.com/
|
323
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
324
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
325
325
|
# @return [Array<Types::PolicyDescriptorType>]
|
326
326
|
#
|
327
327
|
# @!attribute [rw] policy
|
@@ -548,8 +548,7 @@ module Aws::STS
|
|
548
548
|
# ARNs. However, the plain text that you use for both inline and
|
549
549
|
# managed session policies shouldn't exceed 2048 characters. For more
|
550
550
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
551
|
-
# Service Namespaces]
|
552
|
-
# in the AWS General Reference.
|
551
|
+
# Service Namespaces][1] in the AWS General Reference.
|
553
552
|
#
|
554
553
|
# <note markdown="1"> The characters in this parameter count towards the 2048 character
|
555
554
|
# session policy guideline. However, an AWS conversion compresses the
|
@@ -568,11 +567,12 @@ module Aws::STS
|
|
568
567
|
# owns the role. You cannot use session policies to grant more
|
569
568
|
# permissions than those allowed by the identity-based policy of the
|
570
569
|
# role that is being assumed. For more information, see [Session
|
571
|
-
# Policies][
|
570
|
+
# Policies][2] in the *IAM User Guide*.
|
572
571
|
#
|
573
572
|
#
|
574
573
|
#
|
575
|
-
# [1]: https://docs.aws.amazon.com/
|
574
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
575
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
576
576
|
# @return [Array<Types::PolicyDescriptorType>]
|
577
577
|
#
|
578
578
|
# @!attribute [rw] policy
|
@@ -848,6 +848,39 @@ module Aws::STS
|
|
848
848
|
include Aws::Structure
|
849
849
|
end
|
850
850
|
|
851
|
+
# @note When making an API call, you may pass GetAccessKeyInfoRequest
|
852
|
+
# data as a hash:
|
853
|
+
#
|
854
|
+
# {
|
855
|
+
# access_key_id: "accessKeyIdType", # required
|
856
|
+
# }
|
857
|
+
#
|
858
|
+
# @!attribute [rw] access_key_id
|
859
|
+
# The identifier of an access key.
|
860
|
+
#
|
861
|
+
# This parameter allows (through its regex pattern) a string of
|
862
|
+
# characters that can consist of any upper- or lowercased letter or
|
863
|
+
# digit.
|
864
|
+
# @return [String]
|
865
|
+
#
|
866
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoRequest AWS API Documentation
|
867
|
+
#
|
868
|
+
class GetAccessKeyInfoRequest < Struct.new(
|
869
|
+
:access_key_id)
|
870
|
+
include Aws::Structure
|
871
|
+
end
|
872
|
+
|
873
|
+
# @!attribute [rw] account
|
874
|
+
# The number used to identify the AWS account.
|
875
|
+
# @return [String]
|
876
|
+
#
|
877
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoResponse AWS API Documentation
|
878
|
+
#
|
879
|
+
class GetAccessKeyInfoResponse < Struct.new(
|
880
|
+
:account)
|
881
|
+
include Aws::Structure
|
882
|
+
end
|
883
|
+
|
851
884
|
# @api private
|
852
885
|
#
|
853
886
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityRequest AWS API Documentation
|
@@ -971,9 +1004,7 @@ module Aws::STS
|
|
971
1004
|
# use for both inline and managed session policies shouldn't exceed
|
972
1005
|
# 2048 characters. You can provide up to 10 managed policy ARNs. For
|
973
1006
|
# more information about ARNs, see [Amazon Resource Names (ARNs) and
|
974
|
-
# AWS Service
|
975
|
-
# Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in the
|
976
|
-
# AWS General Reference.
|
1007
|
+
# AWS Service Namespaces][2] in the AWS General Reference.
|
977
1008
|
#
|
978
1009
|
# This parameter is optional. However, if you do not pass any session
|
979
1010
|
# policies, then the resulting federated user session has no
|
@@ -1002,6 +1033,7 @@ module Aws::STS
|
|
1002
1033
|
#
|
1003
1034
|
#
|
1004
1035
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1036
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
1005
1037
|
# @return [Array<Types::PolicyDescriptorType>]
|
1006
1038
|
#
|
1007
1039
|
# @!attribute [rw] duration_seconds
|
@@ -1173,7 +1205,7 @@ module Aws::STS
|
|
1173
1205
|
include Aws::Structure
|
1174
1206
|
end
|
1175
1207
|
|
1176
|
-
#
|
1208
|
+
# This error is returned if the message passed to
|
1177
1209
|
# `DecodeAuthorizationMessage` was invalid. This can happen if the token
|
1178
1210
|
# contains invalid characters, such as linebreaks.
|
1179
1211
|
#
|
@@ -1241,9 +1273,12 @@ module Aws::STS
|
|
1241
1273
|
# @!attribute [rw] arn
|
1242
1274
|
# The Amazon Resource Name (ARN) of the IAM managed policy to use as a
|
1243
1275
|
# session policy for the role. For more information about ARNs, see
|
1244
|
-
# [Amazon Resource Names (ARNs) and AWS Service
|
1245
|
-
# Namespaces](general/latest/gr/aws-arns-and-namespaces.html) in the
|
1276
|
+
# [Amazon Resource Names (ARNs) and AWS Service Namespaces][1] in the
|
1246
1277
|
# *AWS General Reference*.
|
1278
|
+
#
|
1279
|
+
#
|
1280
|
+
#
|
1281
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
1247
1282
|
# @return [String]
|
1248
1283
|
#
|
1249
1284
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/PolicyDescriptorType AWS API Documentation
|
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/seahorse/client/base.rb
CHANGED
@@ -194,13 +194,15 @@ module Seahorse
|
|
194
194
|
private
|
195
195
|
|
196
196
|
def define_operation_methods
|
197
|
+
operations_module = Module.new
|
197
198
|
@api.operation_names.each do |method_name|
|
198
|
-
define_method
|
199
|
+
operations_module.send(:define_method, method_name) do |*args, &block|
|
199
200
|
params = args[0] || {}
|
200
201
|
options = args[1] || {}
|
201
202
|
build_request(method_name, params).send_request(options, &block)
|
202
203
|
end
|
203
204
|
end
|
205
|
+
include(operations_module)
|
204
206
|
end
|
205
207
|
|
206
208
|
def build_plugins
|
@@ -77,8 +77,8 @@ module Seahorse
|
|
77
77
|
if options.key?(name)
|
78
78
|
options[name]
|
79
79
|
else
|
80
|
-
msg = "
|
81
|
-
raise ArgumentError, msg %
|
80
|
+
msg = "missing option: `%s'"
|
81
|
+
raise ArgumentError, msg % name.inspect
|
82
82
|
end
|
83
83
|
end
|
84
84
|
|