aws-sdk-core 3.57.0 → 3.58.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core.rb +1 -0
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +101 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +17 -0
- data/lib/aws-sdk-core/errors.rb +12 -0
- data/lib/aws-sdk-core/plugins/retry_errors.rb +1 -0
- data/lib/aws-sdk-core/shared_config.rb +19 -0
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8b82f63254467071b547826de2acf86e9b8322ae
|
4
|
+
data.tar.gz: 162c01adc59d6d67ca4d39e6dc497bb26bd67139
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 26359f249597293f05b3b02d2bc9bedaff303edf599dd13559d996f68e3ef2f955c1503165940c078c636b4cf1e8496c7817e2e43ff42647d3862c39e08f39c1
|
7
|
+
data.tar.gz: 19595dcfe15a41f59bdcd881dc683b23ad41c811dc49d6ee1427c1cd368aa62f9167a96c6401b8b1042d9b29e12d0c16d4d1ae9225e6686a34fd0bf884159120
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
3.
|
1
|
+
3.58.0
|
data/lib/aws-sdk-core.rb
CHANGED
@@ -9,6 +9,7 @@ require_relative 'aws-sdk-core/deprecations'
|
|
9
9
|
require_relative 'aws-sdk-core/credential_provider'
|
10
10
|
require_relative 'aws-sdk-core/refreshing_credentials'
|
11
11
|
require_relative 'aws-sdk-core/assume_role_credentials'
|
12
|
+
require_relative 'aws-sdk-core/assume_role_web_identity_credentials'
|
12
13
|
require_relative 'aws-sdk-core/credentials'
|
13
14
|
require_relative 'aws-sdk-core/credential_provider_chain'
|
14
15
|
require_relative 'aws-sdk-core/ecs_credentials'
|
@@ -0,0 +1,101 @@
|
|
1
|
+
require 'set'
|
2
|
+
require 'securerandom'
|
3
|
+
require 'base64'
|
4
|
+
|
5
|
+
module Aws
|
6
|
+
|
7
|
+
# An auto-refreshing credential provider that works by assuming
|
8
|
+
# a role via {Aws::STS::Client#assume_role_with_web_identity}.
|
9
|
+
#
|
10
|
+
# role_credentials = Aws::AssumeRoleWebIdentityCredentials.new(
|
11
|
+
# client: Aws::STS::Client.new(...),
|
12
|
+
# role_arn: "linked::account::arn",
|
13
|
+
# web_identity_token_file: "/path/to/token/file",
|
14
|
+
# role_session_name: "session-name"
|
15
|
+
# ...
|
16
|
+
# )
|
17
|
+
# For full list of parameters accepted
|
18
|
+
# @see Aws::STS::Client#assume_role_with_web_identity
|
19
|
+
#
|
20
|
+
#
|
21
|
+
# If you omit `:client` option, a new {STS::Client} object will be
|
22
|
+
# constructed.
|
23
|
+
class AssumeRoleWebIdentityCredentials
|
24
|
+
|
25
|
+
include CredentialProvider
|
26
|
+
include RefreshingCredentials
|
27
|
+
|
28
|
+
# @option options [required, String] :role_arn the IAM role
|
29
|
+
# to be assumed
|
30
|
+
#
|
31
|
+
# @option options [required, String] :web_identity_token_file
|
32
|
+
# absolute path to the file on disk containing OIDC token
|
33
|
+
#
|
34
|
+
# @option options [String] :role_session_name the IAM session
|
35
|
+
# name used to distinguish session, when not provided, base64
|
36
|
+
# encoded UUID is generated as the session name
|
37
|
+
#
|
38
|
+
# @option options [STS::Client] :client
|
39
|
+
def initialize(options = {})
|
40
|
+
client_opts = {}
|
41
|
+
@assume_role_web_identity_params = {}
|
42
|
+
@token_file = options.delete(:web_identity_token_file)
|
43
|
+
options.each_pair do |key, value|
|
44
|
+
if self.class.assume_role_web_identity_options.include?(key)
|
45
|
+
@assume_role_web_identity_params[key] = value
|
46
|
+
else
|
47
|
+
client_opts[key] = value
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
unless @assume_role_web_identity_params[:role_session_name]
|
52
|
+
# not provided, generate encoded UUID as session name
|
53
|
+
@assume_role_web_identity_params[:role_session_name] = _session_name
|
54
|
+
end
|
55
|
+
@client = client_opts[:client] || STS::Client.new(client_opts)
|
56
|
+
super
|
57
|
+
end
|
58
|
+
|
59
|
+
# @return [STS::Client]
|
60
|
+
attr_reader :client
|
61
|
+
|
62
|
+
private
|
63
|
+
|
64
|
+
def refresh
|
65
|
+
# read from token file everytime it refreshes
|
66
|
+
@assume_role_web_identity_params[:web_identity_token] = _token_from_file(@token_file)
|
67
|
+
|
68
|
+
c = @client.assume_role_with_web_identity(
|
69
|
+
@assume_role_web_identity_params).credentials
|
70
|
+
@credentials = Credentials.new(
|
71
|
+
c.access_key_id,
|
72
|
+
c.secret_access_key,
|
73
|
+
c.session_token
|
74
|
+
)
|
75
|
+
@expiration = c.expiration
|
76
|
+
end
|
77
|
+
|
78
|
+
def _token_from_file(path)
|
79
|
+
unless path && File.exist?(path)
|
80
|
+
raise Aws::Errors::MissingWebIdentityTokenFile.new
|
81
|
+
end
|
82
|
+
File.read(path)
|
83
|
+
end
|
84
|
+
|
85
|
+
def _session_name
|
86
|
+
Base64.strict_encode64(SecureRandom.uuid)
|
87
|
+
end
|
88
|
+
|
89
|
+
class << self
|
90
|
+
|
91
|
+
# @api private
|
92
|
+
def assume_role_web_identity_options
|
93
|
+
@arwio ||= begin
|
94
|
+
input = STS::Client.api.operation(:assume_role_with_web_identity).input
|
95
|
+
Set.new(input.shape.member_names)
|
96
|
+
end
|
97
|
+
end
|
98
|
+
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|
@@ -21,6 +21,7 @@ module Aws
|
|
21
21
|
[
|
22
22
|
[:static_credentials, {}],
|
23
23
|
[:env_credentials, {}],
|
24
|
+
[:assume_role_web_identity_credentials, {}],
|
24
25
|
[:assume_role_credentials, {}],
|
25
26
|
[:shared_credentials, {}],
|
26
27
|
[:process_credentials, {}],
|
@@ -98,6 +99,22 @@ module Aws
|
|
98
99
|
end
|
99
100
|
end
|
100
101
|
|
102
|
+
def assume_role_web_identity_credentials(options)
|
103
|
+
if role_arn = ENV['AWS_ROLE_ARN'] &&
|
104
|
+
token_file = ENV['AWS_WEB_IDENTITY_TOKEN_FILE']
|
105
|
+
AssumeRoleWebIdentityCredentials.new(
|
106
|
+
role_arn: role_arn,
|
107
|
+
web_identity_token_file: token_file,
|
108
|
+
role_session_name: ENV['AWS_ROLE_SESSION_NAME']
|
109
|
+
)
|
110
|
+
elsif Aws.shared_config.config_enabled?
|
111
|
+
profile = options[:config].profile if options[:config]
|
112
|
+
Aws.shared_config.assume_role_web_identity_credentials_from_config(profile)
|
113
|
+
else
|
114
|
+
nil
|
115
|
+
end
|
116
|
+
end
|
117
|
+
|
101
118
|
def instance_profile_credentials(options)
|
102
119
|
if ENV["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"]
|
103
120
|
ECSCredentials.new(options)
|
data/lib/aws-sdk-core/errors.rb
CHANGED
@@ -158,6 +158,18 @@ module Aws
|
|
158
158
|
end
|
159
159
|
end
|
160
160
|
|
161
|
+
# Raised when :web_identity_token_file parameter is not
|
162
|
+
# provided or the file doesn't exist when initializing
|
163
|
+
# AssumeRoleWebIdentityCredentials credential provider
|
164
|
+
class MissingWebIdentityTokenFile < RuntimeError
|
165
|
+
def initialize(*args)
|
166
|
+
msg = 'Missing :web_identity_token_file parameter or'\
|
167
|
+
' invalid file path provided for'\
|
168
|
+
' Aws::AssumeRoleWebIdentityCredentials provider'
|
169
|
+
super(msg)
|
170
|
+
end
|
171
|
+
end
|
172
|
+
|
161
173
|
# Raised when a credentials provider process returns a JSON
|
162
174
|
# payload with either invalid version number or malformed contents
|
163
175
|
class InvalidProcessCredentialsPayload < RuntimeError; end
|
@@ -121,6 +121,25 @@ module Aws
|
|
121
121
|
credentials
|
122
122
|
end
|
123
123
|
|
124
|
+
def assume_role_web_identity_credentials_from_config(profile)
|
125
|
+
p = profile || @profile_name
|
126
|
+
if @config_enabled && @parsed_config
|
127
|
+
entry = @parsed_config.fetch(p, {})
|
128
|
+
if entry['web_identity_token_file'] &&
|
129
|
+
entry['role_arn']
|
130
|
+
AssumeRoleWebIdentityCredentials.new(
|
131
|
+
role_arn: entry['role_arn'],
|
132
|
+
web_identity_token_file: entry['web_identity_token_file'],
|
133
|
+
role_session_name: entry['role_session_name']
|
134
|
+
)
|
135
|
+
else
|
136
|
+
nil
|
137
|
+
end
|
138
|
+
else
|
139
|
+
nil
|
140
|
+
end
|
141
|
+
end
|
142
|
+
|
124
143
|
def region(opts = {})
|
125
144
|
p = opts[:profile] || @profile_name
|
126
145
|
if @config_enabled
|
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-core
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.58.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-07-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jmespath
|
@@ -83,6 +83,7 @@ files:
|
|
83
83
|
- ca-bundle.crt
|
84
84
|
- lib/aws-sdk-core.rb
|
85
85
|
- lib/aws-sdk-core/assume_role_credentials.rb
|
86
|
+
- lib/aws-sdk-core/assume_role_web_identity_credentials.rb
|
86
87
|
- lib/aws-sdk-core/async_client_stubs.rb
|
87
88
|
- lib/aws-sdk-core/binary.rb
|
88
89
|
- lib/aws-sdk-core/binary/decode_handler.rb
|