aws-sdk-s3 1.101.0 → 1.105.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -22,6 +22,7 @@ module Aws::S3
22
22
  AcceptRanges = Shapes::StringShape.new(name: 'AcceptRanges')
23
23
  AccessControlPolicy = Shapes::StructureShape.new(name: 'AccessControlPolicy')
24
24
  AccessControlTranslation = Shapes::StructureShape.new(name: 'AccessControlTranslation')
25
+ AccessPointArn = Shapes::StringShape.new(name: 'AccessPointArn')
25
26
  AccountId = Shapes::StringShape.new(name: 'AccountId')
26
27
  AllowQuotedRecordDelimiter = Shapes::BooleanShape.new(name: 'AllowQuotedRecordDelimiter')
27
28
  AllowedHeader = Shapes::StringShape.new(name: 'AllowedHeader')
@@ -1686,6 +1687,7 @@ module Aws::S3
1686
1687
 
1687
1688
  MetricsAndOperator.add_member(:prefix, Shapes::ShapeRef.new(shape: Prefix, location_name: "Prefix"))
1688
1689
  MetricsAndOperator.add_member(:tags, Shapes::ShapeRef.new(shape: TagSet, location_name: "Tag", metadata: {"flattened"=>true}))
1690
+ MetricsAndOperator.add_member(:access_point_arn, Shapes::ShapeRef.new(shape: AccessPointArn, location_name: "AccessPointArn"))
1689
1691
  MetricsAndOperator.struct_class = Types::MetricsAndOperator
1690
1692
 
1691
1693
  MetricsConfiguration.add_member(:id, Shapes::ShapeRef.new(shape: MetricsId, required: true, location_name: "Id"))
@@ -1696,6 +1698,7 @@ module Aws::S3
1696
1698
 
1697
1699
  MetricsFilter.add_member(:prefix, Shapes::ShapeRef.new(shape: Prefix, location_name: "Prefix"))
1698
1700
  MetricsFilter.add_member(:tag, Shapes::ShapeRef.new(shape: Tag, location_name: "Tag"))
1701
+ MetricsFilter.add_member(:access_point_arn, Shapes::ShapeRef.new(shape: AccessPointArn, location_name: "AccessPointArn"))
1699
1702
  MetricsFilter.add_member(:and, Shapes::ShapeRef.new(shape: MetricsAndOperator, location_name: "And"))
1700
1703
  MetricsFilter.struct_class = Types::MetricsFilter
1701
1704
 
@@ -184,10 +184,10 @@ module Aws::S3
184
184
  end
185
185
 
186
186
  # If the object is stored using server-side encryption either with an
187
- # Amazon Web Services KMS customer master key (CMK) or an Amazon
188
- # S3-managed encryption key, the response includes this header with the
189
- # value of the server-side encryption algorithm used when storing this
190
- # object in Amazon S3 (for example, AES256, aws:kms).
187
+ # Amazon Web Services KMS key or an Amazon S3-managed encryption key,
188
+ # the response includes this header with the value of the server-side
189
+ # encryption algorithm used when storing this object in Amazon S3 (for
190
+ # example, AES256, aws:kms).
191
191
  # @return [String]
192
192
  def server_side_encryption
193
193
  data[:server_side_encryption]
@@ -217,8 +217,8 @@ module Aws::S3
217
217
  end
218
218
 
219
219
  # If present, specifies the ID of the Amazon Web Services Key Management
220
- # Service (Amazon Web Services KMS) symmetric customer managed customer
221
- # master key (CMK) that was used for the object.
220
+ # Service (Amazon Web Services KMS) symmetric customer managed key that
221
+ # was used for the object.
222
222
  # @return [String]
223
223
  def ssekms_key_id
224
224
  data[:ssekms_key_id]
@@ -1028,13 +1028,13 @@ module Aws::S3
1028
1028
  # RFC 1321. Amazon S3 uses this header for a message integrity check to
1029
1029
  # ensure that the encryption key was transmitted without error.
1030
1030
  # @option options [String] :ssekms_key_id
1031
- # Specifies the ID of the symmetric customer managed Amazon Web Services
1032
- # KMS CMK to use for object encryption. All GET and PUT requests for an
1033
- # object protected by Amazon Web Services KMS will fail if not made via
1034
- # SSL or using SigV4. For information about configuring using any of the
1035
- # officially supported Amazon Web Services SDKs and Amazon Web Services
1036
- # CLI, see [Specifying the Signature Version in Request
1037
- # Authentication][1] in the *Amazon S3 User Guide*.
1031
+ # Specifies the ID of the symmetric customer managed key to use for
1032
+ # object encryption. All GET and PUT requests for an object protected by
1033
+ # Amazon Web Services KMS will fail if not made via SSL or using SigV4.
1034
+ # For information about configuring using any of the officially
1035
+ # supported Amazon Web Services SDKs and Amazon Web Services CLI, see
1036
+ # [Specifying the Signature Version in Request Authentication][1] in the
1037
+ # *Amazon S3 User Guide*.
1038
1038
  #
1039
1039
  #
1040
1040
  #
@@ -1277,12 +1277,12 @@ module Aws::S3
1277
1277
  # If `x-amz-server-side-encryption` is present and has the value of
1278
1278
  # `aws:kms`, this header specifies the ID of the Amazon Web Services Key
1279
1279
  # Management Service (Amazon Web Services KMS) symmetrical customer
1280
- # managed customer master key (CMK) that was used for the object. If you
1281
- # specify `x-amz-server-side-encryption:aws:kms`, but do not provide`
1280
+ # managed key that was used for the object. If you specify
1281
+ # `x-amz-server-side-encryption:aws:kms`, but do not provide`
1282
1282
  # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
1283
- # Amazon Web Services managed CMK in Amazon Web Services to protect the
1284
- # data. If the KMS key does not exist in the same account issuing the
1285
- # command, you must use the full ARN and not just the ID.
1283
+ # Amazon Web Services managed key to protect the data. If the KMS key
1284
+ # does not exist in the same account issuing the command, you must use
1285
+ # the full ARN and not just the ID.
1286
1286
  # @option options [String] :ssekms_encryption_context
1287
1287
  # Specifies the Amazon Web Services KMS Encryption Context to use for
1288
1288
  # object encryption. The value of this header is a base64-encoded UTF-8
@@ -772,13 +772,13 @@ module Aws::S3
772
772
  # RFC 1321. Amazon S3 uses this header for a message integrity check to
773
773
  # ensure that the encryption key was transmitted without error.
774
774
  # @option options [String] :ssekms_key_id
775
- # Specifies the ID of the symmetric customer managed Amazon Web Services
776
- # KMS CMK to use for object encryption. All GET and PUT requests for an
777
- # object protected by Amazon Web Services KMS will fail if not made via
778
- # SSL or using SigV4. For information about configuring using any of the
779
- # officially supported Amazon Web Services SDKs and Amazon Web Services
780
- # CLI, see [Specifying the Signature Version in Request
781
- # Authentication][1] in the *Amazon S3 User Guide*.
775
+ # Specifies the ID of the symmetric customer managed key to use for
776
+ # object encryption. All GET and PUT requests for an object protected by
777
+ # Amazon Web Services KMS will fail if not made via SSL or using SigV4.
778
+ # For information about configuring using any of the officially
779
+ # supported Amazon Web Services SDKs and Amazon Web Services CLI, see
780
+ # [Specifying the Signature Version in Request Authentication][1] in the
781
+ # *Amazon S3 User Guide*.
782
782
  #
783
783
  #
784
784
  #
@@ -1021,12 +1021,12 @@ module Aws::S3
1021
1021
  # If `x-amz-server-side-encryption` is present and has the value of
1022
1022
  # `aws:kms`, this header specifies the ID of the Amazon Web Services Key
1023
1023
  # Management Service (Amazon Web Services KMS) symmetrical customer
1024
- # managed customer master key (CMK) that was used for the object. If you
1025
- # specify `x-amz-server-side-encryption:aws:kms`, but do not provide`
1024
+ # managed key that was used for the object. If you specify
1025
+ # `x-amz-server-side-encryption:aws:kms`, but do not provide`
1026
1026
  # x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
1027
- # Amazon Web Services managed CMK in Amazon Web Services to protect the
1028
- # data. If the KMS key does not exist in the same account issuing the
1029
- # command, you must use the full ARN and not just the ID.
1027
+ # Amazon Web Services managed key to protect the data. If the KMS key
1028
+ # does not exist in the same account issuing the command, you must use
1029
+ # the full ARN and not just the ID.
1030
1030
  # @option options [String] :ssekms_encryption_context
1031
1031
  # Specifies the Amazon Web Services KMS Encryption Context to use for
1032
1032
  # object encryption. The value of this header is a base64-encoded UTF-8
@@ -41,7 +41,7 @@ each bucket. [Go here for more information](http://docs.aws.amazon.com/AmazonS3/
41
41
  accelerate = context.params.delete(:use_accelerate_endpoint)
42
42
  end
43
43
  accelerate = context.config.use_accelerate_endpoint if accelerate.nil?
44
- # Raise if :endpoint and dualstack are both provided
44
+ # Raise if :endpoint and accelerate are both provided
45
45
  if accelerate && !context.config.regional_endpoint
46
46
  raise ArgumentError,
47
47
  'Cannot use both :use_accelerate_endpoint and :endpoint'
@@ -3,6 +3,7 @@
3
3
  require_relative '../arn/access_point_arn'
4
4
  require_relative '../arn/object_lambda_arn'
5
5
  require_relative '../arn/outpost_access_point_arn'
6
+ require_relative '../arn/multi_region_access_point_arn'
6
7
 
7
8
  module Aws
8
9
  module S3
@@ -23,6 +24,18 @@ be made. Set to `false` to use the client's region instead.
23
24
  resolve_s3_use_arn_region(cfg)
24
25
  end
25
26
 
27
+ option(
28
+ :s3_disable_multiregion_access_points,
29
+ default: false,
30
+ doc_type: 'Boolean',
31
+ docstring: <<-DOCS) do |cfg|
32
+ When set to `false` this will option will raise errors when multi-region
33
+ access point ARNs are used. Multi-region access points can potentially
34
+ result in cross region requests.
35
+ DOCS
36
+ resolve_s3_disable_multiregion_access_points(cfg)
37
+ end
38
+
26
39
  # param validator is validate:50
27
40
  # endpoint is build:90 (populates the URI for the first time)
28
41
  # endpoint pattern is build:10
@@ -64,17 +77,10 @@ be made. Set to `false` to use the client's region instead.
64
77
  if arn
65
78
  validate_config!(context, arn)
66
79
 
67
- fips = false
68
- if resolved_region.include?('fips')
69
- fips = true
70
- resolved_region = resolved_region.gsub('fips-', '')
71
- .gsub('-fips', '')
72
- end
73
-
74
80
  context.metadata[:s3_arn] = {
75
81
  arn: arn,
76
82
  resolved_region: resolved_region,
77
- fips: fips,
83
+ fips: context.config.use_fips_endpoint,
78
84
  dualstack: extract_dualstack_config!(context)
79
85
  }
80
86
  end
@@ -113,8 +119,21 @@ be made. Set to `false` to use the client's region instead.
113
119
 
114
120
  if !arn.support_dualstack? && context[:use_dualstack_endpoint]
115
121
  raise ArgumentError,
116
- 'Cannot provide an Outpost Access Point ARN when '\
117
- '`:use_dualstack_endpoint` is set to true.'
122
+ 'Cannot provide an Outpost Access Point, Object Lambda, '\
123
+ 'or Multi-region Access Point ARN'\
124
+ ' when `:use_dualstack_endpoint` is set to true.'
125
+ end
126
+
127
+ if arn.region.empty? && context.config.s3_disable_multiregion_access_points
128
+ raise ArgumentError,
129
+ 'Cannot provide a Multi-region Access Point ARN with '\
130
+ '`:s3_disable_multiregion_access_points` set to true'
131
+ end
132
+
133
+ if context.config.use_fips_endpoint && !arn.support_fips?
134
+ raise ArgumentError,
135
+ 'FIPS client regions are not supported for this type '\
136
+ 'of ARN.'
118
137
  end
119
138
  end
120
139
  end
@@ -127,7 +146,7 @@ be made. Set to `false` to use the client's region instead.
127
146
  s3_arn = resolve_arn_type!(arn)
128
147
  s3_arn.validate_arn!
129
148
  validate_region_config!(s3_arn, region, use_arn_region)
130
- region = s3_arn.region if use_arn_region && !region.include?('fips')
149
+ region = s3_arn.region if use_arn_region
131
150
  [region, s3_arn]
132
151
  else
133
152
  [region]
@@ -147,7 +166,9 @@ be made. Set to `false` to use the client's region instead.
147
166
  def resolve_arn_type!(arn)
148
167
  case arn.service
149
168
  when 's3'
150
- Aws::S3::AccessPointARN.new(arn.to_h)
169
+ arn.region.empty? ?
170
+ Aws::S3::MultiRegionAccessPointARN.new(arn.to_h) :
171
+ Aws::S3::AccessPointARN.new(arn.to_h)
151
172
  when 's3-outposts'
152
173
  Aws::S3::OutpostAccessPointARN.new(arn.to_h)
153
174
  when 's3-object-lambda'
@@ -174,6 +195,21 @@ be made. Set to `false` to use the client's region instead.
174
195
  value
175
196
  end
176
197
 
198
+ def resolve_s3_disable_multiregion_access_points(cfg)
199
+ value = ENV['AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS'] ||
200
+ Aws.shared_config.s3_disable_multiregion_access_points(profile: cfg.profile) ||
201
+ 'false'
202
+ value = Aws::Util.str_2_bool(value)
203
+ # Raise if provided value is not true or false
204
+ if value.nil?
205
+ raise ArgumentError,
206
+ 'Must provide either `true` or `false` for '\
207
+ 's3_use_arn_region profile option or for '\
208
+ "ENV['AWS_S3_USE_ARN_REGION']"
209
+ end
210
+ value
211
+ end
212
+
177
213
  # Remove ARN from the path because we've already set the new host
178
214
  def url_path(path, arn)
179
215
  path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
@@ -195,29 +231,19 @@ be made. Set to `false` to use the client's region instead.
195
231
  raise Aws::Errors::InvalidARNPartitionError
196
232
  end
197
233
  else
198
- if region.include?('fips')
199
- # If ARN type doesn't support FIPS but the client region is FIPS
200
- unless arn.support_fips?
201
- raise ArgumentError,
202
- 'FIPS client regions are not supported for this type '\
203
- 'of ARN.'
234
+ # use_arn_region does not apply to MRAP (global) arns
235
+ unless arn.region.empty?
236
+ # Raise if the ARN and client regions are in different partitions
237
+ if use_arn_region &&
238
+ !Aws::Partitions.partition(arn.partition).region?(region)
239
+ raise Aws::Errors::InvalidARNPartitionError
204
240
  end
205
241
 
206
- fips = true
207
- # Normalize the region so we can compare partition and regions
208
- region = region.gsub('fips-', '').gsub('-fips', '')
209
- end
210
-
211
- # Raise if the ARN and client regions are in different partitions
212
- if use_arn_region &&
213
- !Aws::Partitions.partition(arn.partition).region?(region)
214
- raise Aws::Errors::InvalidARNPartitionError
215
- end
216
-
217
- # Raise if regions mismatch
218
- # Either when it's a fips client or not using the ARN region
219
- if (!use_arn_region || fips) && region != arn.region
220
- raise Aws::Errors::InvalidARNRegionError
242
+ # Raise if regions mismatch
243
+ # Either when it's a fips client or not using the ARN region
244
+ if !use_arn_region && region != arn.region
245
+ raise Aws::Errors::InvalidARNRegionError
246
+ end
221
247
  end
222
248
  end
223
249
  end
@@ -24,7 +24,7 @@ request URI and never moved to the host as a sub-domain.
24
24
  DOCS
25
25
 
26
26
  def add_handlers(handlers, config)
27
- handlers.add(Handler) unless config.force_path_style
27
+ handlers.add(Handler, priority: 48) unless config.force_path_style
28
28
  end
29
29
 
30
30
  # @api private
@@ -5,18 +5,9 @@ module Aws
5
5
  module Plugins
6
6
  # @api private
7
7
  class Dualstack < Seahorse::Client::Plugin
8
-
9
- option(:use_dualstack_endpoint,
10
- default: false,
11
- doc_type: 'Boolean',
12
- docstring: <<-DOCS)
13
- When set to `true`, IPv6-compatible bucket endpoints will be used
14
- for all operations.
15
- DOCS
16
-
17
8
  def add_handlers(handlers, config)
18
9
  handlers.add(OptionHandler, step: :initialize)
19
- handlers.add(DualstackHandler, step: :build, priority: 11)
10
+ handlers.add(DualstackHandler, step: :build, priority: 49)
20
11
  end
21
12
 
22
13
  # @api private
@@ -40,38 +31,41 @@ for all operations.
40
31
  # @api private
41
32
  class DualstackHandler < Seahorse::Client::Handler
42
33
  def call(context)
43
- if context.config.regional_endpoint && use_dualstack_endpoint?(context)
34
+ # only rewrite the endpoint if it's not a custom endpoint
35
+ # accelerate/ARN already handle dualstack cases, so ignore these
36
+ # check to see if dualstack is on but configured off via operation
37
+ if context.config.regional_endpoint &&
38
+ use_dualstack_endpoint?(context)
44
39
  apply_dualstack_endpoint(context)
45
40
  end
46
41
  @handler.call(context)
47
42
  end
48
43
 
49
44
  private
50
- def apply_dualstack_endpoint(context)
51
- bucket_name = context.params[:bucket]
52
- region = context.config.region
53
- dns_suffix = Aws::Partitions::EndpointProvider.dns_suffix_for(region)
54
45
 
55
- if use_bucket_dns?(bucket_name, context)
56
- host = "#{bucket_name}.s3.dualstack.#{region}.#{dns_suffix}"
57
- else
58
- host = "s3.dualstack.#{region}.#{dns_suffix}"
59
- end
46
+ def apply_dualstack_endpoint(context)
47
+ new_endpoint = Aws::Partitions::EndpointProvider.resolve(
48
+ context.config.region,
49
+ 's3',
50
+ 'regional',
51
+ {
52
+ dualstack: context[:use_dualstack_endpoint],
53
+ fips: context.config.use_fips_endpoint
54
+ }
55
+ )
60
56
  endpoint = URI.parse(context.http_request.endpoint.to_s)
61
- endpoint.scheme = context.http_request.endpoint.scheme
62
- endpoint.port = context.http_request.endpoint.port
63
- endpoint.host = host
64
- context.http_request.endpoint = endpoint.to_s
65
- end
66
-
67
- def use_bucket_dns?(bucket_name, context)
68
- ssl = context.http_request.endpoint.scheme == "https"
69
- bucket_name && BucketDns.dns_compatible?(bucket_name, ssl) &&
70
- !context.config.force_path_style
57
+ endpoint.host = URI.parse(new_endpoint).host
58
+ context.http_request.endpoint = endpoint
71
59
  end
72
60
 
73
61
  def use_dualstack_endpoint?(context)
74
- context[:use_dualstack_endpoint] && !context[:use_accelerate_endpoint]
62
+ # case when dualstack is turned off via operation
63
+ (context[:use_dualstack_endpoint] ||
64
+ context.config.use_dualstack_endpoint) &&
65
+ # accelerate plugin already applies dualstack
66
+ !context[:use_accelerate_endpoint] &&
67
+ # arns handle dualstack
68
+ !context.metadata[:s3_arn]
75
69
  end
76
70
  end
77
71
 
@@ -22,7 +22,9 @@ module Aws
22
22
  # S3 removes core's signature_v4 plugin that checks for this
23
23
  raise Aws::Errors::MissingRegionError if cfg.region.nil?
24
24
 
25
- Aws::Partitions::EndpointProvider.signing_region(cfg.region, 's3')
25
+ Aws::Partitions::EndpointProvider.signing_region(
26
+ cfg.region, 's3'
27
+ )
26
28
  end
27
29
 
28
30
  def add_handlers(handlers, cfg)
@@ -74,9 +76,17 @@ module Aws
74
76
  credentials: context.config.credentials
75
77
  )
76
78
  elsif (arn = context.metadata[:s3_arn])
79
+ if arn[:arn].is_a?(MultiRegionAccessPointARN)
80
+ signing_region = '*'
81
+ signing_algorithm = :sigv4a
82
+ else
83
+ signing_region = arn[:resolved_region]
84
+ signing_algorithm = :sigv4
85
+ end
77
86
  S3Signer.build_v4_signer(
78
87
  service: arn[:arn].service,
79
- region: arn[:resolved_region],
88
+ signing_algorithm: signing_algorithm,
89
+ region: signing_region,
80
90
  credentials: context.config.credentials
81
91
  )
82
92
  elsif context.operation.name == 'WriteGetObjectResponse'
@@ -154,7 +164,12 @@ module Aws
154
164
 
155
165
  def custom_endpoint?(resp)
156
166
  resolved_suffix = Aws::Partitions::EndpointProvider.dns_suffix_for(
157
- resp.context.config.region
167
+ resp.context.config.region,
168
+ 's3',
169
+ {
170
+ dualstack: resp.context[:use_dualstack_endpoint],
171
+ fips: resp.context.config.use_fips_endpoint
172
+ }
158
173
  )
159
174
  !resp.context.http_request.endpoint.hostname.include?(resolved_suffix)
160
175
  end
@@ -216,6 +231,7 @@ module Aws
216
231
  service: options[:service],
217
232
  region: options[:region],
218
233
  credentials_provider: options[:credentials],
234
+ signing_algorithm: options.fetch(:signing_algorithm, :sigv4),
219
235
  uri_escape_path: false,
220
236
  unsigned_headers: ['content-length', 'x-amzn-trace-id']
221
237
  )
@@ -225,12 +241,20 @@ module Aws
225
241
  # Otherwise it will retry with the ARN as the bucket name.
226
242
  def new_hostname(context, region)
227
243
  uri = URI.parse(
228
- Aws::Partitions::EndpointProvider.resolve(region, 's3')
244
+ Aws::Partitions::EndpointProvider.resolve(
245
+ region, 's3', 'regional',
246
+ {
247
+ dualstack: context[:use_dualstack_endpoint],
248
+ fips: context.config.use_fips_endpoint
249
+ }
250
+ )
229
251
  )
230
252
 
231
253
  if (arn = context.metadata[:s3_arn])
232
254
  # Retry with the response region and not the ARN resolved one
233
- ARN.resolve_url!(uri, arn[:arn], region).host
255
+ ARN.resolve_url!(
256
+ uri, arn[:arn], region, arn[:fips], arn[:dualstack]
257
+ ).host
234
258
  else
235
259
  "#{context.params[:bucket]}.#{uri.host}"
236
260
  end
@@ -231,17 +231,23 @@ module Aws
231
231
  end
232
232
  http_req.endpoint.query = query.join('&') unless query.empty?
233
233
 
234
+ signing_algorithm = :sigv4
235
+
234
236
  # If it's an ARN, get the resolved region and service
235
237
  if (arn = context.metadata[:s3_arn])
236
238
  region = arn[:resolved_region]
237
239
  service = arn[:arn].service
240
+ region = arn[:arn].is_a?(MultiRegionAccessPointARN) ? '*': arn[:resolved_region]
241
+ signing_algorithm = arn[:arn].is_a?(MultiRegionAccessPointARN) ? :sigv4a : :sigv4
238
242
  end
239
243
 
240
244
  signer = Aws::Sigv4::Signer.new(
241
245
  service: service || 's3',
242
246
  region: region || context.config.region,
247
+ signing_algorithm: signing_algorithm,
243
248
  credentials_provider: context.config.credentials,
244
249
  unsigned_headers: unsigned_headers,
250
+ apply_checksum_header: false,
245
251
  uri_escape_path: false
246
252
  )
247
253