aws-sdk-core 3.78.0 → 3.79.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core/instance_profile_credentials.rb +90 -5
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 52713a4b23a1e90585c7a17f44213442b0a852cd
|
4
|
+
data.tar.gz: 42b9904fce3ff4291b28ef6e79a6d1a4ce6d2613
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b5592fd6f513ea32dcbb010b7d29dc77c86b5e19d41ceab2d4f71aa69caa72286d8532098171a9ecb0116c80b83b3e52dd9cc7c289b869f6ba6fac070b66e771
|
7
|
+
data.tar.gz: 426ac9ade0cc503594e893b044365abdf22263b86ad7cb890cd08183ffc49d77b357c00d86a99acf2c1d273aead62c461d183cf38812f606ec904235f2ddebe3
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.79.0
|
@@ -11,6 +11,12 @@ module Aws
|
|
11
11
|
# @api private
|
12
12
|
class Non200Response < RuntimeError; end
|
13
13
|
|
14
|
+
# @api private
|
15
|
+
class TokenRetrivalError < RuntimeError; end
|
16
|
+
|
17
|
+
# @api private
|
18
|
+
class TokenExpiredError < RuntimeError; end
|
19
|
+
|
14
20
|
# These are the errors we trap when attempting to talk to the
|
15
21
|
# instance metadata service. Any of these imply the service
|
16
22
|
# is not present, no responding or some other non-recoverable
|
@@ -26,6 +32,14 @@ module Aws
|
|
26
32
|
Non200Response,
|
27
33
|
]
|
28
34
|
|
35
|
+
# Path base for GET request for profile and credentials
|
36
|
+
# @api private
|
37
|
+
METADATA_PATH_BASE = '/latest/meta-data/iam/security-credentials/'
|
38
|
+
|
39
|
+
# Path for PUT request for token
|
40
|
+
# @api private
|
41
|
+
METADATA_TOKEN_PATH = '/latest/api/token'
|
42
|
+
|
29
43
|
# @param [Hash] options
|
30
44
|
# @option options [Integer] :retries (5) Number of times to retry
|
31
45
|
# when retrieving credentials.
|
@@ -40,6 +54,9 @@ module Aws
|
|
40
54
|
# @option options [IO] :http_debug_output (nil) HTTP wire
|
41
55
|
# traces are sent to this object. You can specify something
|
42
56
|
# like $stdout.
|
57
|
+
# @option options [Integer] :token_ttl Time-to-Live in seconds for EC2
|
58
|
+
# Metadata Token used for fetching Metadata Profile Credentials, defaults
|
59
|
+
# to 21600 seconds
|
43
60
|
def initialize options = {}
|
44
61
|
@retries = options[:retries] || 5
|
45
62
|
@ip_address = options[:ip_address] || '169.254.169.254'
|
@@ -48,6 +65,7 @@ module Aws
|
|
48
65
|
@http_read_timeout = options[:http_read_timeout] || 5
|
49
66
|
@http_debug_output = options[:http_debug_output]
|
50
67
|
@backoff = backoff(options[:backoff])
|
68
|
+
@token_ttl = options[:token_ttl] || 21600
|
51
69
|
super
|
52
70
|
end
|
53
71
|
|
@@ -94,9 +112,28 @@ module Aws
|
|
94
112
|
begin
|
95
113
|
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
96
114
|
open_connection do |conn|
|
97
|
-
|
98
|
-
|
99
|
-
|
115
|
+
# attempt to fetch token to start secure flow first
|
116
|
+
# and rescue to failover
|
117
|
+
begin
|
118
|
+
retry_errors(NETWORK_ERRORS, max_retries: @retries) do
|
119
|
+
unless token_set?
|
120
|
+
token_value, ttl = http_put(conn, METADATA_TOKEN_PATH, @token_ttl)
|
121
|
+
@token = Token.new(token_value, ttl) if token_value && ttl
|
122
|
+
end
|
123
|
+
end
|
124
|
+
rescue *NETWORK_ERRORS
|
125
|
+
# token attempt failed, reset token
|
126
|
+
# fallback to non-token mode
|
127
|
+
@token = nil
|
128
|
+
end
|
129
|
+
|
130
|
+
if token_set?
|
131
|
+
profile_name = http_get(conn, METADATA_PATH_BASE, @token.value).lines.first.strip
|
132
|
+
http_get(conn, METADATA_PATH_BASE + profile_name, @token.value)
|
133
|
+
else
|
134
|
+
profile_name = http_get(conn, METADATA_PATH_BASE).lines.first.strip
|
135
|
+
http_get(conn, METADATA_PATH_BASE + profile_name)
|
136
|
+
end
|
100
137
|
end
|
101
138
|
end
|
102
139
|
rescue
|
@@ -105,6 +142,10 @@ module Aws
|
|
105
142
|
end
|
106
143
|
end
|
107
144
|
|
145
|
+
def token_set?
|
146
|
+
@token && !@token.expired?
|
147
|
+
end
|
148
|
+
|
108
149
|
def _metadata_disabled?
|
109
150
|
flag = ENV["AWS_EC2_METADATA_DISABLED"]
|
110
151
|
!flag.nil? && flag.downcase == "true"
|
@@ -119,8 +160,11 @@ module Aws
|
|
119
160
|
yield(http).tap { http.finish }
|
120
161
|
end
|
121
162
|
|
122
|
-
|
123
|
-
|
163
|
+
# GET request fetch profile and credentials
|
164
|
+
def http_get(connection, path, token=nil)
|
165
|
+
headers = {"User-Agent" => "aws-sdk-ruby3/#{CORE_GEM_VERSION}"}
|
166
|
+
headers["x-aws-ec2-metadata-token"] = token if token
|
167
|
+
response = connection.request(Net::HTTP::Get.new(path, headers))
|
124
168
|
if response.code.to_i == 200
|
125
169
|
response.body
|
126
170
|
else
|
@@ -128,6 +172,28 @@ module Aws
|
|
128
172
|
end
|
129
173
|
end
|
130
174
|
|
175
|
+
# PUT request fetch token with ttl
|
176
|
+
def http_put(connection, path, ttl)
|
177
|
+
headers = {
|
178
|
+
"User-Agent" => "aws-sdk-ruby3/#{CORE_GEM_VERSION}",
|
179
|
+
"x-aws-ec2-metadata-token-ttl-seconds" => ttl.to_s
|
180
|
+
}
|
181
|
+
response = connection.request(Net::HTTP::Put.new(path, headers))
|
182
|
+
case response.code.to_i
|
183
|
+
when 200
|
184
|
+
[
|
185
|
+
response.body,
|
186
|
+
response.header["x-aws-ec2-metadata-token-ttl-seconds"].to_i
|
187
|
+
]
|
188
|
+
when 401
|
189
|
+
raise TokenExpiredError
|
190
|
+
when 400
|
191
|
+
raise TokenRetrivalError
|
192
|
+
else
|
193
|
+
raise Non200Response
|
194
|
+
end
|
195
|
+
end
|
196
|
+
|
131
197
|
def retry_errors(error_classes, options = {}, &block)
|
132
198
|
max_retries = options[:max_retries]
|
133
199
|
retries = 0
|
@@ -144,5 +210,24 @@ module Aws
|
|
144
210
|
end
|
145
211
|
end
|
146
212
|
|
213
|
+
# @api private
|
214
|
+
# Token used to fetch IMDS profile and credentials
|
215
|
+
class Token
|
216
|
+
|
217
|
+
def initialize(value, ttl)
|
218
|
+
@ttl = ttl
|
219
|
+
@value = value
|
220
|
+
@created_time = Time.now
|
221
|
+
end
|
222
|
+
|
223
|
+
# [String] token value
|
224
|
+
attr_reader :value
|
225
|
+
|
226
|
+
def expired?
|
227
|
+
Time.now - @created_time > @ttl
|
228
|
+
end
|
229
|
+
|
230
|
+
end
|
231
|
+
|
147
232
|
end
|
148
233
|
end
|
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.79.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-11-
|
11
|
+
date: 2019-11-19 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|