aws-sdk-core 3.237.0 → 3.238.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 95d07e9b7ee04171f8d93e7d0616d89c8d7e738372b772d6f66a67fac0710c41
-  data.tar.gz: 00b8b6b00d2e61dee0054b198e73f76f27d2af1e282e01374126522e67991d98
+  metadata.gz: 9b5f0c19ee115b6aeb64a492c9f5d44dd35c12bfd090d8f66a5b207b48ec056e
+  data.tar.gz: 5f2ac56bae1ff72f54aebdc714f73f2c0550b7f2a189d2e54e872832b562c07f
 SHA512:
-  metadata.gz: b77063dba0c37595b4096dd4a022a5446dc3fcb850bf24fff5546c025ce0dfb9fa96570e3259591708836a40c591df299879ebfb7b8648a4cbd736101fad30be
-  data.tar.gz: 05b16dade46a24d7c53d4dc4fa48226f18deaa2ebb410b9bf42a63305cdac965b888bc5b11d283d1ff6c8c5b73ee107135bc8b6dd861386eaea44a02148341cb
+  metadata.gz: 34e19cf1ed28ea6f8989e2a8c010773548932aa44e470c2190d71837c012adb049e4f9e2fcf3096e8344563f233ccc293a5e16a72203b0a6cbe381b49c12cbc2
+  data.tar.gz: 7b3b5b81484bb41872b4949163af33e63d820b5d8902f9fe8a78bc35dd2f4b7f49571780411f75425bbb4b741321ff262894251675cbb13df27aa90370295d47

data/CHANGELOG.md

@@ -1,6 +1,17 @@
 Unreleased Changes
 ------------------
 
+3.238.0 (2025-11-19)
+------------------
+
+* Feature - Updated Aws::Signin::Client with the latest API changes.
+
+* Feature - Updated Aws::STS::Client with the latest API changes.
+
+* Feature - IAM now supports outbound identity federation via the STS GetWebIdentityToken API, enabling AWS workloads to securely authenticate with external services using short-lived JSON Web Tokens.
+
+* Feature - Add `LoginCredentials` which retrieves credentials from AWS Sign-In. Support `aws-sdk-signin` alias gem.
+
 3.237.0 (2025-11-10)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.237.0
+3.238.0

data/lib/aws-sdk-core/credential_provider_chain.rb

@@ -25,12 +25,14 @@ module Aws
         [:static_profile_sso_credentials, {}],
         [:static_profile_assume_role_credentials, {}],
         [:static_profile_credentials, {}],
+        [:static_profile_login_credentials, {}],
         [:static_profile_process_credentials, {}],
         [:env_credentials, {}],
         [:assume_role_web_identity_credentials, {}],
         [:sso_credentials, {}],
         [:assume_role_credentials, {}],
         [:shared_credentials, {}],
+        [:login_credentials, {}],
         [:process_credentials, {}],
         [:instance_profile_credentials, {
           retries: @config ? @config.instance_profile_credentials_retries : 0,
@@ -104,6 +106,18 @@ module Aws
       nil
     end
 
+    def static_profile_login_credentials(options)
+      return unless Aws.shared_config.config_enabled? && options[:config]&.profile
+
+      with_metrics('CREDENTIALS_CODE') do
+        creds = Aws.shared_config.login_credentials_from_config(profile: options[:config].profile)
+        return unless creds
+
+        creds.metrics << 'CREDENTIALS_CODE'
+        creds
+      end
+    end
+
     def static_profile_process_credentials(options)
       return unless Aws.shared_config.config_enabled? && options[:config]&.profile
 
@@ -152,6 +166,15 @@ module Aws
       nil
     end
 
+    def login_credentials(options)
+      return unless Aws.shared_config.config_enabled?
+
+      profile_name = determine_profile_name(options)
+      Aws.shared_config.login_credentials_from_config(profile: profile_name)
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
     def process_credentials(options)
       profile_name = determine_profile_name(options)
       if Aws.shared_config.config_enabled?

data/lib/aws-sdk-core/errors.rb

@@ -213,6 +213,9 @@ module Aws
     # Raised when SSO Token is invalid
     class InvalidSSOToken < RuntimeError; end
 
+    # Raised when Login Token is invalid
+    class InvalidLoginToken < RuntimeError; end
+
     # Raised when a client is unable to sign a request because
     # the bearer token is not configured or available
     class MissingBearerTokenError < RuntimeError

data/lib/aws-sdk-core/login_credentials.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+module Aws
+  # An auto-refreshing credential provider that retrieves credentials from
+  # a cached login token. This class does NOT implement the AWS Sign-In
+  # login flow - tokens must be generated separately by running `aws login`
+  # from the AWS CLI/AWS Tools for PowerShell with the correct profile.
+  # The {LoginCredentials} will auto-refresh the AWS credentials from AWS Sign-In.
+  #
+  #     # You must first run aws login --profile your-login-profile
+  #     login_credentials = Aws::LoginCredentials.new(login_session: 'my_login_session')
+  #     ec2 = Aws::EC2::Client.new(credentials: login_credentials)
+  #
+  # If you omit the `:client` option, a new {Aws::Signin::Client} object will
+  # be constructed with additional options that were provided.
+  class LoginCredentials
+    include CredentialProvider
+    include RefreshingCredentials
+
+    # @option options [required, String] :login_session An opaque string
+    #   used to determine the cache file location. This value can be found
+    #   in the AWS config file which is set by the AWS CLI/AWS Tools for
+    #   PowerShell automatically.
+    #
+    # @option options [Signin::Client] :client Optional `Signin::Client`.
+    #   If not provided, a client will be constructed.
+    def initialize(options = {})
+      raise ArgumentError, 'Missing login_session' unless options[:login_session]
+
+      @login_session = options.delete(:login_session)
+      @client = options[:client]
+      unless @client
+        client_opts = options.reject { |key, _| CLIENT_EXCLUDE_OPTIONS.include?(key) }
+        @client = Signin::Client.new(client_opts.merge(credentials: nil))
+      end
+      @metrics = ['CREDENTIALS_LOGIN']
+      @async_refresh = true
+      super
+    end
+
+    # @return [Signin::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # First reload the token from disk to ensure it hasn't been refreshed externally
+      token_json = read_cached_token
+      update_creds(token_json['accessToken'])
+      return if @credentials && @expiration && !near_expiration?(sync_expiration_length)
+
+      # Using OpenSSL 3.6.0 may result in errors like "certificate verify failed (unable to get certificate CRL)."
+      # A recommended workaround is to use OpenSSL version < 3.6.0 or requiring the openssl gem with a version of at
+      # least 3.2.2. GitHub issue: https://github.com/openssl/openssl/issues/28752.
+      if OpenSSL::OPENSSL_LIBRARY_VERSION.include?('3.6.') &&
+         (!Gem.loaded_specs['openssl'] || Gem.loaded_specs['openssl'].version < Gem::Version.new('3.2.2'))
+        warn 'WARNING: OpenSSL 3.6.x may cause certificate verify errors - use OpenSSL < 3.6.0 or openssl gem >= 3.2.2'
+      end
+
+      # Attempt to refresh the token
+      attempt_refresh(token_json)
+
+      # Raise if token is hard expired
+      return unless !@expiration || @expiration < Time.now
+
+      raise Errors::InvalidLoginToken,
+            'Login token is invalid and failed to refresh. Please reauthenticate.'
+    end
+
+    def read_cached_token
+      cached_token = JSON.load_file(login_cache_file)
+      validate_cached_token(cached_token)
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError
+      raise Errors::InvalidLoginToken,
+            "Failed to load a Login token for login session #{@login_session}. Please reauthenticate."
+    end
+
+    def login_cache_file
+      directory = ENV['AWS_LOGIN_CACHE_DIRECTORY'] || File.join(Dir.home, '.aws', 'login', 'cache')
+      login_session_sha = OpenSSL::Digest::SHA256.hexdigest(@login_session.strip.encode('utf-8'))
+      File.join(directory, "#{login_session_sha}.json")
+    end
+
+    def validate_cached_token(cached_token)
+      required_cached_token_fields = %w[accessToken clientId refreshToken dpopKey]
+      missing_fields = required_cached_token_fields.reject { |field| cached_token[field] }
+      unless missing_fields.empty?
+        raise ArgumentError, "Cached login token is missing required field(s): #{missing_fields}. " \
+          'Please reauthenticate.'
+      end
+
+      access_token = cached_token['accessToken']
+      required_access_token_fields = %w[accessKeyId secretAccessKey sessionToken accountId expiresAt]
+      missing_fields = required_access_token_fields.reject { |field| access_token[field] }
+
+      return if missing_fields.empty?
+
+      raise ArgumentError, "Access token in cached login token is missing required field(s): #{missing_fields}. " \
+        'Please reauthenticate.'
+    end
+
+    def update_creds(access_token)
+      @credentials = Credentials.new(
+        access_token['accessKeyId'],
+        access_token['secretAccessKey'],
+        access_token['sessionToken'],
+        account_id: access_token['accountId']
+      )
+      @expiration = Time.parse(access_token['expiresAt'])
+    end
+
+    def attempt_refresh(token_json)
+      resp = make_request(token_json)
+      parse_resp(resp.token_output, token_json)
+      update_creds(token_json['accessToken'])
+      update_token_cache(token_json)
+    rescue Signin::Errors::AccessDeniedException => e
+      case e.error
+      when 'TOKEN_EXPIRED'
+        warn 'Your session has expired. Please reauthenticate.'
+      when 'USER_CREDENTIALS_CHANGED'
+        warn 'Unable to refresh credentials because of a change in your password. ' \
+          'Please reauthenticate with your new password.'
+      when 'INSUFFICIENT_PERMISSIONS'
+        warn 'Unable to refresh credentials due to insufficient permissions. ' \
+          'You may be missing permission for the `CreateOAuth2Token` action.'
+      end
+    rescue StandardError => e
+      warn("Failed to refresh Login token for LoginCredentials: #{e.message}")
+    end
+
+    def make_request(token_json)
+      options = {
+        token_input: {
+          client_id: token_json['clientId'],
+          grant_type: 'refresh_token',
+          refresh_token: token_json['refreshToken']
+        }
+      }
+      req = @client.build_request(:create_o_auth_2_token, options)
+      endpoint_params = Aws::Signin::EndpointParameters.create(req.context.config)
+      endpoint = req.context.config.endpoint_provider.resolve_endpoint(endpoint_params)
+      endpoint = URI.join(endpoint.url, @client.config.api.operation(:create_o_auth_2_token).http_request_uri).to_s
+      req.context.http_request.headers['DPoP'] = dpop_proof(token_json['dpopKey'], endpoint)
+      req.send_request
+    end
+
+    def dpop_proof(dpop_key, endpoint)
+      # Load private key from cached token file
+      private_key = OpenSSL::PKey.read(dpop_key)
+      public_key = private_key.public_key.to_octet_string(:uncompressed)
+
+      # Construct header and payload
+      header = build_header(public_key[1, 32], public_key[33, 32])
+      payload = build_payload(endpoint)
+
+      # Base64URL encode header and payload, sign message using private key, and create header
+      message = build_message(header, payload)
+      signature = private_key.sign(OpenSSL::Digest.new('SHA256'), message)
+      jws_signature = der_to_jws(signature)
+      "#{message}.#{Base64.urlsafe_encode64(jws_signature, padding: false)}"
+    end
+
+    def build_header(x_bytes, y_bytes)
+      {
+        'alg' => 'ES256', # signing algorithm
+        'jwk' => {
+          'crv' => 'P-256', # curve name
+          'kty' => 'EC', # key type
+          'x' => Base64.urlsafe_encode64(x_bytes, padding: false), # public x coordinate
+          'y' => Base64.urlsafe_encode64(y_bytes, padding: false) # public y coordinate
+        },
+        'typ' => 'dpop+jwt' # hardcoded
+      }
+    end
+
+    def build_payload(htu)
+      {
+        'jti' => SecureRandom.uuid, # unique identifier (UUID4)
+        'htm' => @client.config.api.operation(:create_o_auth_2_token).http_method, # POST
+        'htu' => htu, # endpoint of the CreateOAuth2Token operation, with path
+        'iat' => Time.now.utc.to_i # UTC timestamp, specified number of seconds from 1970-01-01T00:00:00Z UTC
+      }
+    end
+
+    def build_message(header, payload)
+      encoded_header = Base64.urlsafe_encode64(JSON.dump(header), padding: false)
+      encoded_payload = Base64.urlsafe_encode64(JSON.dump(payload), padding: false)
+      "#{encoded_header}.#{encoded_payload}"
+    end
+
+    # Converts DER-encoded ASN.1 signature to JWS
+    def der_to_jws(der_signature)
+      asn1 = OpenSSL::ASN1.decode(der_signature)
+      r = asn1.value[0].value
+      s = asn1.value[1].value
+
+      r_hex = r.to_s(16).rjust(64, '0')
+      s_hex = s.to_s(16).rjust(64, '0')
+
+      [r_hex + s_hex].pack('H*')
+    end
+
+    def parse_resp(resp, token_json)
+      access_token = token_json['accessToken']
+      access_token.merge!(
+        'accessKeyId' => resp.access_token.access_key_id,
+        'secretAccessKey' => resp.access_token.secret_access_key,
+        'sessionToken' => resp.access_token.session_token,
+        'expiresAt' => (Time.now.utc + resp.expires_in).to_datetime.rfc3339
+      )
+      token_json['refreshToken'] = resp.refresh_token
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      # File.write is not atomic so use temp file and move
+      temp_file = Tempfile.new('temp_file')
+      begin
+        temp_file.write(Json.dump(cached_token))
+        temp_file.close
+        FileUtils.mv(temp_file.path, login_cache_file)
+      ensure
+        temp_file.unlink if File.exist?(temp_file.path) # Ensure temp file is cleaned up
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/user_agent.rb

@@ -55,7 +55,9 @@ module Aws
           "CREDENTIALS_IMDS" : "0",
           "SSO_LOGIN_DEVICE" : "1",
           "SSO_LOGIN_AUTH" : "2",
-          "BEARER_SERVICE_ENV_VARS": "3"
+          "BEARER_SERVICE_ENV_VARS": "3",
+          "CREDENTIALS_PROFILE_LOGIN": "AC",
+          "CREDENTIALS_LOGIN": "AD"
         }
       METRICS
 

data/lib/aws-sdk-core/shared_config.rb

@@ -171,6 +171,16 @@ module Aws
       token
     end
 
+    # Attempts to load from shared config or shared credentials file.
+    # Will always attempt first to load from the shared credentials
+    # file, if present.
+    def login_credentials_from_config(opts = {})
+      p = opts[:profile] || @profile_name
+      credentials = login_credentials_from_profile(@parsed_credentials, p)
+      credentials ||= login_credentials_from_profile(@parsed_config, p) if @parsed_config
+      credentials
+    end
+
     # Source a custom configured endpoint from the shared configuration file
     #
     # @param [Hash] opts
@@ -469,6 +479,14 @@ module Aws
       end
     end
 
+    def login_credentials_from_profile(cfg, profile)
+      return unless @parsed_config && (prof_config = cfg[profile]) && prof_config['login_session']
+
+      creds = LoginCredentials.new(login_session: prof_config['login_session'])
+      creds.metrics << 'CREDENTIALS_PROFILE_LOGIN'
+      creds
+    end
+
     def credentials_from_profile(prof_config)
       creds = Credentials.new(
         prof_config['aws_access_key_id'],

data/lib/aws-sdk-core.rb

@@ -25,6 +25,7 @@ module Aws
   autoload :SharedCredentials, 'aws-sdk-core/shared_credentials'
   autoload :ProcessCredentials, 'aws-sdk-core/process_credentials'
   autoload :SSOCredentials, 'aws-sdk-core/sso_credentials'
+  autoload :LoginCredentials, 'aws-sdk-core/login_credentials'
 
 
   # tokens and token providers
@@ -175,3 +176,6 @@ require_relative 'aws-sdk-sts'
 # aws-sdk-sso is included to support Aws::SSOCredentials
 require_relative 'aws-sdk-sso'
 require_relative 'aws-sdk-ssooidc'
+
+# aws-sdk-signin is included to support Aws::SignInCredentials
+require_relative 'aws-sdk-signin'