aws-sdk-core 3.57.0 → 3.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core.rb +1 -0
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +101 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +17 -0
- data/lib/aws-sdk-core/errors.rb +12 -0
- data/lib/aws-sdk-core/plugins/retry_errors.rb +1 -0
- data/lib/aws-sdk-core/shared_config.rb +19 -0
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8b82f63254467071b547826de2acf86e9b8322ae
|
|
4
|
+
data.tar.gz: 162c01adc59d6d67ca4d39e6dc497bb26bd67139
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 26359f249597293f05b3b02d2bc9bedaff303edf599dd13559d996f68e3ef2f955c1503165940c078c636b4cf1e8496c7817e2e43ff42647d3862c39e08f39c1
|
|
7
|
+
data.tar.gz: 19595dcfe15a41f59bdcd881dc683b23ad41c811dc49d6ee1427c1cd368aa62f9167a96c6401b8b1042d9b29e12d0c16d4d1ae9225e6686a34fd0bf884159120
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
3.
|
|
1
|
+
3.58.0
|
data/lib/aws-sdk-core.rb
CHANGED
|
@@ -9,6 +9,7 @@ require_relative 'aws-sdk-core/deprecations'
|
|
|
9
9
|
require_relative 'aws-sdk-core/credential_provider'
|
|
10
10
|
require_relative 'aws-sdk-core/refreshing_credentials'
|
|
11
11
|
require_relative 'aws-sdk-core/assume_role_credentials'
|
|
12
|
+
require_relative 'aws-sdk-core/assume_role_web_identity_credentials'
|
|
12
13
|
require_relative 'aws-sdk-core/credentials'
|
|
13
14
|
require_relative 'aws-sdk-core/credential_provider_chain'
|
|
14
15
|
require_relative 'aws-sdk-core/ecs_credentials'
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
require 'set'
|
|
2
|
+
require 'securerandom'
|
|
3
|
+
require 'base64'
|
|
4
|
+
|
|
5
|
+
module Aws
|
|
6
|
+
|
|
7
|
+
# An auto-refreshing credential provider that works by assuming
|
|
8
|
+
# a role via {Aws::STS::Client#assume_role_with_web_identity}.
|
|
9
|
+
#
|
|
10
|
+
# role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
|
|
11
|
+
# client: Aws::STS::Client.new(...),
|
|
12
|
+
# role_arn: "linked::account::arn",
|
|
13
|
+
# web_identity_token_file: "/path/to/token/file",
|
|
14
|
+
# role_session_name: "session-name"
|
|
15
|
+
# ...
|
|
16
|
+
# )
|
|
17
|
+
# For full list of parameters accepted
|
|
18
|
+
# @see Aws::STS::Client#assume_role_with_web_identity
|
|
19
|
+
#
|
|
20
|
+
#
|
|
21
|
+
# If you omit `:client` option, a new {STS::Client} object will be
|
|
22
|
+
# constructed.
|
|
23
|
+
class AssumeRoleWebIdentityCredentials
|
|
24
|
+
|
|
25
|
+
include CredentialProvider
|
|
26
|
+
include RefreshingCredentials
|
|
27
|
+
|
|
28
|
+
# @option options [required, String] :role_arn the IAM role
|
|
29
|
+
# to be assumed
|
|
30
|
+
#
|
|
31
|
+
# @option options [required, String] :web_identity_token_file
|
|
32
|
+
# absolute path to the file on disk containing OIDC token
|
|
33
|
+
#
|
|
34
|
+
# @option options [String] :role_session_name the IAM session
|
|
35
|
+
# name used to distinguish session, when not provided, base64
|
|
36
|
+
# encoded UUID is generated as the session name
|
|
37
|
+
#
|
|
38
|
+
# @option options [STS::Client] :client
|
|
39
|
+
def initialize(options = {})
|
|
40
|
+
client_opts = {}
|
|
41
|
+
@assume_role_web_identity_params = {}
|
|
42
|
+
@token_file = options.delete(:web_identity_token_file)
|
|
43
|
+
options.each_pair do |key, value|
|
|
44
|
+
if self.class.assume_role_web_identity_options.include?(key)
|
|
45
|
+
@assume_role_web_identity_params[key] = value
|
|
46
|
+
else
|
|
47
|
+
client_opts[key] = value
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
unless @assume_role_web_identity_params[:role_session_name]
|
|
52
|
+
# not provided, generate encoded UUID as session name
|
|
53
|
+
@assume_role_web_identity_params[:role_session_name] = _session_name
|
|
54
|
+
end
|
|
55
|
+
@client = client_opts[:client] || STS::Client.new(client_opts)
|
|
56
|
+
super
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
# @return [STS::Client]
|
|
60
|
+
attr_reader :client
|
|
61
|
+
|
|
62
|
+
private
|
|
63
|
+
|
|
64
|
+
def refresh
|
|
65
|
+
# read from token file everytime it refreshes
|
|
66
|
+
@assume_role_web_identity_params[:web_identity_token] = _token_from_file(@token_file)
|
|
67
|
+
|
|
68
|
+
c = @client.assume_role_with_web_identity(
|
|
69
|
+
@assume_role_web_identity_params).credentials
|
|
70
|
+
@credentials = Credentials.new(
|
|
71
|
+
c.access_key_id,
|
|
72
|
+
c.secret_access_key,
|
|
73
|
+
c.session_token
|
|
74
|
+
)
|
|
75
|
+
@expiration = c.expiration
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
def _token_from_file(path)
|
|
79
|
+
unless path && File.exist?(path)
|
|
80
|
+
raise Aws::Errors::MissingWebIdentityTokenFile.new
|
|
81
|
+
end
|
|
82
|
+
File.read(path)
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
def _session_name
|
|
86
|
+
Base64.strict_encode64(SecureRandom.uuid)
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
class << self
|
|
90
|
+
|
|
91
|
+
# @api private
|
|
92
|
+
def assume_role_web_identity_options
|
|
93
|
+
@arwio ||= begin
|
|
94
|
+
input = STS::Client.api.operation(:assume_role_with_web_identity).input
|
|
95
|
+
Set.new(input.shape.member_names)
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
end
|
|
100
|
+
end
|
|
101
|
+
end
|
|
@@ -21,6 +21,7 @@ module Aws
|
|
|
21
21
|
[
|
|
22
22
|
[:static_credentials, {}],
|
|
23
23
|
[:env_credentials, {}],
|
|
24
|
+
[:assume_role_web_identity_credentials, {}],
|
|
24
25
|
[:assume_role_credentials, {}],
|
|
25
26
|
[:shared_credentials, {}],
|
|
26
27
|
[:process_credentials, {}],
|
|
@@ -98,6 +99,22 @@ module Aws
|
|
|
98
99
|
end
|
|
99
100
|
end
|
|
100
101
|
|
|
102
|
+
def assume_role_web_identity_credentials(options)
|
|
103
|
+
if role_arn = ENV['AWS_ROLE_ARN'] &&
|
|
104
|
+
token_file = ENV['AWS_WEB_IDENTITY_TOKEN_FILE']
|
|
105
|
+
AssumeRoleWebIdentityCredentials.new(
|
|
106
|
+
role_arn: role_arn,
|
|
107
|
+
web_identity_token_file: token_file,
|
|
108
|
+
role_session_name: ENV['AWS_ROLE_SESSION_NAME']
|
|
109
|
+
)
|
|
110
|
+
elsif Aws.shared_config.config_enabled?
|
|
111
|
+
profile = options[:config].profile if options[:config]
|
|
112
|
+
Aws.shared_config.assume_role_web_identity_credentials_from_config(profile)
|
|
113
|
+
else
|
|
114
|
+
nil
|
|
115
|
+
end
|
|
116
|
+
end
|
|
117
|
+
|
|
101
118
|
def instance_profile_credentials(options)
|
|
102
119
|
if ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
|
|
103
120
|
ECSCredentials.new(options)
|
data/lib/aws-sdk-core/errors.rb
CHANGED
|
@@ -158,6 +158,18 @@ module Aws
|
|
|
158
158
|
end
|
|
159
159
|
end
|
|
160
160
|
|
|
161
|
+
# Raised when :web_identity_token_file parameter is not
|
|
162
|
+
# provided or the file doesn't exist when initializing
|
|
163
|
+
# AssumeRoleWebIdentityCredentials credential provider
|
|
164
|
+
class MissingWebIdentityTokenFile < RuntimeError
|
|
165
|
+
def initialize(*args)
|
|
166
|
+
msg = 'Missing :web_identity_token_file parameter or'\
|
|
167
|
+
' invalid file path provided for'\
|
|
168
|
+
' Aws::AssumeRoleWebIdentityCredentials provider'
|
|
169
|
+
super(msg)
|
|
170
|
+
end
|
|
171
|
+
end
|
|
172
|
+
|
|
161
173
|
# Raised when a credentials provider process returns a JSON
|
|
162
174
|
# payload with either invalid version number or malformed contents
|
|
163
175
|
class InvalidProcessCredentialsPayload < RuntimeError; end
|
|
@@ -121,6 +121,25 @@ module Aws
|
|
|
121
121
|
credentials
|
|
122
122
|
end
|
|
123
123
|
|
|
124
|
+
def assume_role_web_identity_credentials_from_config(profile)
|
|
125
|
+
p = profile || @profile_name
|
|
126
|
+
if @config_enabled && @parsed_config
|
|
127
|
+
entry = @parsed_config.fetch(p, {})
|
|
128
|
+
if entry['web_identity_token_file'] &&
|
|
129
|
+
entry['role_arn']
|
|
130
|
+
AssumeRoleWebIdentityCredentials.new(
|
|
131
|
+
role_arn: entry['role_arn'],
|
|
132
|
+
web_identity_token_file: entry['web_identity_token_file'],
|
|
133
|
+
role_session_name: entry['role_session_name']
|
|
134
|
+
)
|
|
135
|
+
else
|
|
136
|
+
nil
|
|
137
|
+
end
|
|
138
|
+
else
|
|
139
|
+
nil
|
|
140
|
+
end
|
|
141
|
+
end
|
|
142
|
+
|
|
124
143
|
def region(opts = {})
|
|
125
144
|
p = opts[:profile] || @profile_name
|
|
126
145
|
if @config_enabled
|
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: aws-sdk-core
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.58.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Amazon Web Services
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-07-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jmespath
|
|
@@ -83,6 +83,7 @@ files:
|
|
|
83
83
|
- ca-bundle.crt
|
|
84
84
|
- lib/aws-sdk-core.rb
|
|
85
85
|
- lib/aws-sdk-core/assume_role_credentials.rb
|
|
86
|
+
- lib/aws-sdk-core/assume_role_web_identity_credentials.rb
|
|
86
87
|
- lib/aws-sdk-core/async_client_stubs.rb
|
|
87
88
|
- lib/aws-sdk-core/binary.rb
|
|
88
89
|
- lib/aws-sdk-core/binary/decode_handler.rb
|