aws-sdk-s3 1.130.0 → 1.151.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +139 -1
- data/VERSION +1 -1
- data/lib/aws-sdk-s3/access_grants_credentials.rb +57 -0
- data/lib/aws-sdk-s3/access_grants_credentials_provider.rb +241 -0
- data/lib/aws-sdk-s3/bucket.rb +424 -81
- data/lib/aws-sdk-s3/bucket_acl.rb +9 -9
- data/lib/aws-sdk-s3/bucket_cors.rb +12 -12
- data/lib/aws-sdk-s3/bucket_lifecycle.rb +12 -12
- data/lib/aws-sdk-s3/bucket_lifecycle_configuration.rb +12 -12
- data/lib/aws-sdk-s3/bucket_logging.rb +16 -9
- data/lib/aws-sdk-s3/bucket_notification.rb +3 -3
- data/lib/aws-sdk-s3/bucket_policy.rb +58 -14
- data/lib/aws-sdk-s3/bucket_region_cache.rb +9 -5
- data/lib/aws-sdk-s3/bucket_request_payment.rb +9 -9
- data/lib/aws-sdk-s3/bucket_tagging.rb +12 -12
- data/lib/aws-sdk-s3/bucket_versioning.rb +27 -27
- data/lib/aws-sdk-s3/bucket_website.rb +12 -12
- data/lib/aws-sdk-s3/client.rb +5784 -2609
- data/lib/aws-sdk-s3/client_api.rb +114 -18
- data/lib/aws-sdk-s3/customizations/errors.rb +15 -2
- data/lib/aws-sdk-s3/customizations/object.rb +55 -0
- data/lib/aws-sdk-s3/customizations.rb +8 -0
- data/lib/aws-sdk-s3/endpoint_parameters.rb +36 -0
- data/lib/aws-sdk-s3/endpoint_provider.rb +110 -252
- data/lib/aws-sdk-s3/endpoints.rb +440 -0
- data/lib/aws-sdk-s3/express_credentials.rb +55 -0
- data/lib/aws-sdk-s3/express_credentials_provider.rb +59 -0
- data/lib/aws-sdk-s3/file_downloader.rb +142 -21
- data/lib/aws-sdk-s3/multipart_file_uploader.rb +4 -4
- data/lib/aws-sdk-s3/multipart_stream_uploader.rb +5 -4
- data/lib/aws-sdk-s3/multipart_upload.rb +69 -16
- data/lib/aws-sdk-s3/multipart_upload_part.rb +160 -35
- data/lib/aws-sdk-s3/object.rb +1504 -235
- data/lib/aws-sdk-s3/object_acl.rb +29 -15
- data/lib/aws-sdk-s3/object_multipart_copier.rb +10 -8
- data/lib/aws-sdk-s3/object_summary.rb +1367 -254
- data/lib/aws-sdk-s3/object_version.rb +297 -42
- data/lib/aws-sdk-s3/plugins/access_grants.rb +108 -0
- data/lib/aws-sdk-s3/plugins/endpoints.rb +14 -2
- data/lib/aws-sdk-s3/plugins/express_session_auth.rb +91 -0
- data/lib/aws-sdk-s3/plugins/location_constraint.rb +3 -1
- data/lib/aws-sdk-s3/plugins/md5s.rb +2 -1
- data/lib/aws-sdk-s3/plugins/s3_signer.rb +7 -2
- data/lib/aws-sdk-s3/presigner.rb +4 -2
- data/lib/aws-sdk-s3/resource.rb +83 -11
- data/lib/aws-sdk-s3/types.rb +4529 -1361
- data/lib/aws-sdk-s3.rb +1 -1
- data/sig/bucket.rbs +212 -0
- data/sig/bucket_acl.rbs +78 -0
- data/sig/bucket_cors.rbs +69 -0
- data/sig/bucket_lifecycle.rbs +88 -0
- data/sig/bucket_lifecycle_configuration.rbs +111 -0
- data/sig/bucket_logging.rbs +76 -0
- data/sig/bucket_notification.rbs +114 -0
- data/sig/bucket_policy.rbs +59 -0
- data/sig/bucket_request_payment.rbs +54 -0
- data/sig/bucket_tagging.rbs +65 -0
- data/sig/bucket_versioning.rbs +77 -0
- data/sig/bucket_website.rbs +93 -0
- data/sig/client.rbs +2362 -0
- data/sig/customizations/bucket.rbs +19 -0
- data/sig/customizations/object.rbs +38 -0
- data/sig/customizations/object_summary.rbs +35 -0
- data/sig/errors.rbs +34 -0
- data/sig/multipart_upload.rbs +110 -0
- data/sig/multipart_upload_part.rbs +105 -0
- data/sig/object.rbs +436 -0
- data/sig/object_acl.rbs +86 -0
- data/sig/object_summary.rbs +334 -0
- data/sig/object_version.rbs +131 -0
- data/sig/resource.rbs +126 -0
- data/sig/types.rbs +2562 -0
- data/sig/waiters.rbs +83 -0
- metadata +43 -11
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6114dedb4a21eb5fbf21942e75b07672dc196f796c7803d700294aa8e1a591af
|
4
|
+
data.tar.gz: 450308ca25390a935185963b6d90dcba80b8ad54fb692db8c39a0e9d70a40527
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 89f03a41c4dfa28e743e7948d96c088fc983610fc5b60af7e63e92b33f088c411d3f72d264bd447e6806963807eb6256938991d571e9df59eb641194b1a5b99d
|
7
|
+
data.tar.gz: '09c924fb2e88f0789fee482eb95eb7f3e636b8246c6ed2f28d410396fa5a199c74d4adfd1fbd7c33ef4524a72c7ee18e78e74d65f58f5219b166d0b96ec550d9'
|
data/CHANGELOG.md
CHANGED
@@ -1,12 +1,150 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
1.151.0 (2024-05-14)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Feature - Updated a few x-id in the http uri traits
|
8
|
+
|
9
|
+
1.150.0 (2024-05-13)
|
10
|
+
------------------
|
11
|
+
|
12
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
13
|
+
|
14
|
+
1.149.1 (2024-05-06)
|
15
|
+
------------------
|
16
|
+
|
17
|
+
* Issue - Fix bug where destination bucket default encryption was inadvertently overridden by source object encryption.
|
18
|
+
|
19
|
+
1.149.0 (2024-04-30)
|
20
|
+
------------------
|
21
|
+
|
22
|
+
* Feature - Support S3 Access Grants authentication. Access Grants can be enabled with the `access_grants` option, and custom options can be passed into the `access_grants_credentials_provider` option. This feature requires `aws-sdk-s3control` to be installed.
|
23
|
+
|
24
|
+
* Feature - Add RBS signatures for customizations of S3.
|
25
|
+
|
26
|
+
1.148.0 (2024-04-25)
|
27
|
+
------------------
|
28
|
+
|
29
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
30
|
+
|
31
|
+
1.147.0 (2024-04-16)
|
32
|
+
------------------
|
33
|
+
|
34
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
35
|
+
|
36
|
+
* Issue - Omit `ContentType` plugin when generating presigned url.
|
37
|
+
|
38
|
+
1.146.1 (2024-03-28)
|
39
|
+
------------------
|
40
|
+
|
41
|
+
* Issue - Fix bug where thread_count option was not being respected for multipart uploads.
|
42
|
+
|
43
|
+
1.146.0 (2024-03-18)
|
44
|
+
------------------
|
45
|
+
|
46
|
+
* Feature - Fix two issues with response root node names.
|
47
|
+
|
48
|
+
1.145.0 (2024-03-15)
|
49
|
+
------------------
|
50
|
+
|
51
|
+
* Feature - Documentation updates for Amazon S3.
|
52
|
+
|
53
|
+
1.144.0 (2024-03-13)
|
54
|
+
------------------
|
55
|
+
|
56
|
+
* Feature - This release makes the default option for S3 on Outposts request signing to use the SigV4A algorithm when using AWS Common Runtime (CRT).
|
57
|
+
|
58
|
+
1.143.1 (2024-03-12)
|
59
|
+
------------------
|
60
|
+
|
61
|
+
* Issue - Include original part errors in message when aborting multipart upload fails (#2990).
|
62
|
+
|
63
|
+
1.143.0 (2024-01-26)
|
64
|
+
------------------
|
65
|
+
|
66
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
67
|
+
|
68
|
+
1.142.0 (2023-12-22)
|
69
|
+
------------------
|
70
|
+
|
71
|
+
* Feature - Added additional examples for some operations.
|
72
|
+
|
73
|
+
1.141.0 (2023-11-28)
|
74
|
+
------------------
|
75
|
+
|
76
|
+
* Feature - Adds support for S3 Express One Zone.
|
77
|
+
|
78
|
+
* Feature - Support S3 Express authentication and endpoints. Express session auth can be disabled with the `disable_s3_express_session_auth` Client option, the `AWS_S3_DISABLE_EXPRESS_SESSION_AUTH` environment variable, and the `s3_disable_express_session_auth` shared config option. A custom `express_credentials_provider` can be configured onto the Client.
|
79
|
+
|
80
|
+
1.140.0 (2023-11-27)
|
81
|
+
------------------
|
82
|
+
|
83
|
+
* Feature - Adding new params - Key and Prefix, to S3 API operations for supporting S3 Access Grants. Note - These updates will not change any of the existing S3 API functionality.
|
84
|
+
|
85
|
+
* Issue - Fix thread interruptions in multipart `download_file`, `file_uploader` and `stream_uploader` (#2944).
|
86
|
+
|
87
|
+
1.139.0 (2023-11-22)
|
88
|
+
------------------
|
89
|
+
|
90
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
91
|
+
|
92
|
+
1.138.0 (2023-11-21)
|
93
|
+
------------------
|
94
|
+
|
95
|
+
* Feature - Add support for automatic date based partitioning in S3 Server Access Logs.
|
96
|
+
|
97
|
+
1.137.0 (2023-11-17)
|
98
|
+
------------------
|
99
|
+
|
100
|
+
* Feature - Removes all default 0 values for numbers and false values for booleans
|
101
|
+
|
102
|
+
1.136.0 (2023-09-26)
|
103
|
+
------------------
|
104
|
+
|
105
|
+
* Feature - This release adds a new field COMPLETED to the ReplicationStatus Enum. You can now use this field to validate the replication status of S3 objects using the AWS SDK.
|
106
|
+
|
107
|
+
1.135.0 (2023-09-20)
|
108
|
+
------------------
|
109
|
+
|
110
|
+
* Feature - Fix an issue where the SDK can fail to unmarshall response due to NumberFormatException
|
111
|
+
|
112
|
+
1.134.0 (2023-08-24)
|
113
|
+
------------------
|
114
|
+
|
115
|
+
* Feature - Updates to endpoint ruleset tests to address Smithy validation issues.
|
116
|
+
|
117
|
+
1.133.0 (2023-08-22)
|
118
|
+
------------------
|
119
|
+
|
120
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
121
|
+
|
122
|
+
* Feature - Add support for `progress_callback` in `Object#download_file` and improve multi-threaded performance #(2901).
|
123
|
+
|
124
|
+
1.132.1 (2023-08-09)
|
125
|
+
------------------
|
126
|
+
|
127
|
+
* Issue - Add support for disabling checksum validation in `Object#download_file` (#2893).
|
128
|
+
|
129
|
+
1.132.0 (2023-07-24)
|
130
|
+
------------------
|
131
|
+
|
132
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
133
|
+
|
134
|
+
* Feature - Add support for verifying checksums in FileDownloader.
|
135
|
+
|
136
|
+
1.131.0 (2023-07-20)
|
137
|
+
------------------
|
138
|
+
|
139
|
+
* Feature - Improve performance of S3 clients by simplifying and optimizing endpoint resolution.
|
140
|
+
|
4
141
|
1.130.0 (2023-07-13)
|
5
142
|
------------------
|
6
143
|
|
7
144
|
* Feature - S3 Inventory now supports Object Access Control List and Object Owner as available object metadata fields in inventory reports.
|
8
145
|
|
9
146
|
* Feature - Allow Object multipart copy API to work when requiring a checksum algorithm.
|
147
|
+
|
10
148
|
* Feature - Allow Object multipart copy API to optionally copy parts as they exist on the source object if it has parts, instead of generating new part ranges, when specifying `use_source_parts: true`.
|
11
149
|
|
12
150
|
1.129.0 (2023-07-11)
|
@@ -44,7 +182,7 @@ Unreleased Changes
|
|
44
182
|
1.123.2 (2023-06-12)
|
45
183
|
------------------
|
46
184
|
|
47
|
-
* Issue - Fix issue when decrypting noncurrent versions of objects when using client side encryption (#2866).
|
185
|
+
* Issue - Fix issue when decrypting noncurrent versions of objects when using client side encryption (#2866).
|
48
186
|
|
49
187
|
1.123.1 (2023-06-02)
|
50
188
|
------------------
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.151.0
|
@@ -0,0 +1,57 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'set'
|
4
|
+
|
5
|
+
module Aws
|
6
|
+
module S3
|
7
|
+
# @api private
|
8
|
+
class AccessGrantsCredentials
|
9
|
+
include CredentialProvider
|
10
|
+
include RefreshingCredentials
|
11
|
+
|
12
|
+
def initialize(options = {})
|
13
|
+
@client = options[:client]
|
14
|
+
@get_data_access_params = {}
|
15
|
+
options.each_pair do |key, value|
|
16
|
+
if self.class.get_data_access_options.include?(key)
|
17
|
+
@get_data_access_params[key] = value
|
18
|
+
end
|
19
|
+
end
|
20
|
+
@async_refresh = true
|
21
|
+
super
|
22
|
+
end
|
23
|
+
|
24
|
+
# @return [S3Control::Client]
|
25
|
+
attr_reader :client
|
26
|
+
|
27
|
+
# @return [String]
|
28
|
+
attr_reader :matched_grant_target
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def refresh
|
33
|
+
c = @client.get_data_access(@get_data_access_params)
|
34
|
+
credentials = c.credentials
|
35
|
+
@matched_grant_target = c.matched_grant_target
|
36
|
+
@credentials = Credentials.new(
|
37
|
+
credentials.access_key_id,
|
38
|
+
credentials.secret_access_key,
|
39
|
+
credentials.session_token
|
40
|
+
)
|
41
|
+
@expiration = credentials.expiration
|
42
|
+
end
|
43
|
+
|
44
|
+
class << self
|
45
|
+
|
46
|
+
# @api private
|
47
|
+
def get_data_access_options
|
48
|
+
@gdao ||= begin
|
49
|
+
input = Aws::S3Control::Client.api.operation(:get_data_access).input
|
50
|
+
Set.new(input.shape.member_names)
|
51
|
+
end
|
52
|
+
end
|
53
|
+
|
54
|
+
end
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
@@ -0,0 +1,241 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Aws
|
4
|
+
module S3
|
5
|
+
# @api private
|
6
|
+
def self.access_grants_credentials_cache
|
7
|
+
@access_grants_credentials_cache ||= LRUCache.new(max_entries: 100)
|
8
|
+
end
|
9
|
+
|
10
|
+
# @api private
|
11
|
+
def self.access_grants_account_id_cache
|
12
|
+
@access_grants_account_id_cache ||= LRUCache.new(
|
13
|
+
max_entries: 100,
|
14
|
+
expiration: 60 * 10
|
15
|
+
)
|
16
|
+
end
|
17
|
+
|
18
|
+
# Returns Credentials class for S3 Access Grants. Accepts GetDataAccess
|
19
|
+
# params and other configuration as options. See
|
20
|
+
# {Aws::S3Control::Client#get_data_access} for details.
|
21
|
+
class AccessGrantsCredentialsProvider
|
22
|
+
# @param [Hash] options
|
23
|
+
# @option options [Hash] :s3_control_client_options The S3 Control
|
24
|
+
# client options used to create regional S3 Control clients to
|
25
|
+
# create the session. Region will be set to the region of the
|
26
|
+
# bucket.
|
27
|
+
# @option options [Aws::STS::Client] :sts_client The STS client used for
|
28
|
+
# fetching the Account ID for the credentials if credentials do not
|
29
|
+
# include an Account ID.
|
30
|
+
# @option options [Aws::S3::Client] :s3_client The S3 client used for
|
31
|
+
# fetching the location of the bucket so that a regional S3 Control
|
32
|
+
# client can be created. Defaults to the S3 client from the access
|
33
|
+
# grants plugin.
|
34
|
+
# @option options [String] :privilege ('Default') The privilege to use
|
35
|
+
# when requesting credentials. (see: {Aws::S3Control::Client#get_data_access})
|
36
|
+
# @option options [Boolean] :fallback (false) When true, if access is
|
37
|
+
# denied, the provider will fall back to the configured credentials.
|
38
|
+
# @option options [Boolean] :caching (true) When true, credentials and
|
39
|
+
# bucket account ids will be cached.
|
40
|
+
# @option options [Callable] :before_refresh Proc called before
|
41
|
+
# credentials are refreshed.
|
42
|
+
def initialize(options = {})
|
43
|
+
@s3_control_options = options.delete(:s3_control_client_options) || {}
|
44
|
+
@s3_client = options.delete(:s3_client)
|
45
|
+
@sts_client = options.delete(:sts_client)
|
46
|
+
@fallback = options.delete(:fallback) || false
|
47
|
+
@caching = options.delete(:caching) != false
|
48
|
+
@s3_control_clients = {}
|
49
|
+
@bucket_region_cache = Aws::S3.bucket_region_cache
|
50
|
+
return unless @caching
|
51
|
+
|
52
|
+
@credentials_cache = Aws::S3.access_grants_credentials_cache
|
53
|
+
@account_id_cache = Aws::S3.access_grants_account_id_cache
|
54
|
+
end
|
55
|
+
|
56
|
+
def access_grants_credentials_for(options = {})
|
57
|
+
target = target_prefix(
|
58
|
+
options[:bucket],
|
59
|
+
options[:key],
|
60
|
+
options[:prefix]
|
61
|
+
)
|
62
|
+
credentials = s3_client.config.credentials.credentials # resolves
|
63
|
+
|
64
|
+
if @caching
|
65
|
+
cached_credentials_for(target, options[:permission], credentials)
|
66
|
+
else
|
67
|
+
new_credentials_for(target, options[:permission], credentials)
|
68
|
+
end
|
69
|
+
rescue Aws::S3Control::Errors::AccessDenied
|
70
|
+
raise unless @fallback
|
71
|
+
|
72
|
+
warn 'Access denied for S3 Access Grants. Falling back to ' \
|
73
|
+
'configured credentials.'
|
74
|
+
s3_client.config.credentials
|
75
|
+
end
|
76
|
+
|
77
|
+
attr_accessor :s3_client
|
78
|
+
|
79
|
+
private
|
80
|
+
|
81
|
+
def s3_control_client(bucket_region)
|
82
|
+
@s3_control_clients[bucket_region] ||= begin
|
83
|
+
credentials = s3_client.config.credentials
|
84
|
+
config = { credentials: credentials }.merge(@s3_control_options)
|
85
|
+
Aws::S3Control::Client.new(config.merge(
|
86
|
+
region: bucket_region,
|
87
|
+
use_fips_endpoint: s3_client.config.use_fips_endpoint,
|
88
|
+
use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
|
89
|
+
))
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
def cached_credentials_for(target, permission, credentials)
|
94
|
+
cached_creds = broad_search_credentials_cache_prefix(target, permission, credentials)
|
95
|
+
return cached_creds if cached_creds
|
96
|
+
|
97
|
+
if %w[READ WRITE].include?(permission)
|
98
|
+
cached_creds = broad_search_credentials_cache_prefix(target, 'READWRITE', credentials)
|
99
|
+
return cached_creds if cached_creds
|
100
|
+
end
|
101
|
+
|
102
|
+
cached_creds = broad_search_credentials_cache_characters(target, permission, credentials)
|
103
|
+
return cached_creds if cached_creds
|
104
|
+
|
105
|
+
if %w[READ WRITE].include?(permission)
|
106
|
+
cached_creds = broad_search_credentials_cache_characters(target, 'READWRITE', credentials)
|
107
|
+
return cached_creds if cached_creds
|
108
|
+
end
|
109
|
+
|
110
|
+
creds = new_credentials_for(target, permission, credentials)
|
111
|
+
if creds.matched_grant_target.end_with?('*')
|
112
|
+
# remove /* from the end of the target
|
113
|
+
key = credentials_cache_key(creds.matched_grant_target[0...-2], permission, credentials)
|
114
|
+
@credentials_cache[key] = creds
|
115
|
+
end
|
116
|
+
|
117
|
+
creds
|
118
|
+
end
|
119
|
+
|
120
|
+
def broad_search_credentials_cache_prefix(target, permission, credentials)
|
121
|
+
prefix = target
|
122
|
+
while prefix != 's3:'
|
123
|
+
key = credentials_cache_key(prefix, permission, credentials)
|
124
|
+
return @credentials_cache[key] if @credentials_cache.key?(key)
|
125
|
+
|
126
|
+
prefix = prefix.split('/', -1)[0..-2].join('/')
|
127
|
+
end
|
128
|
+
nil
|
129
|
+
end
|
130
|
+
|
131
|
+
def broad_search_credentials_cache_characters(target, permission, credentials)
|
132
|
+
prefix = target
|
133
|
+
while prefix != 's3://'
|
134
|
+
key = credentials_cache_key("#{prefix}*", permission, credentials)
|
135
|
+
return @credentials_cache[key] if @credentials_cache.key?(key)
|
136
|
+
|
137
|
+
prefix = prefix[0..-2]
|
138
|
+
end
|
139
|
+
nil
|
140
|
+
end
|
141
|
+
|
142
|
+
def new_credentials_for(target, permission, credentials)
|
143
|
+
bucket_region = bucket_region_for_access_grants(target)
|
144
|
+
client = s3_control_client(bucket_region)
|
145
|
+
|
146
|
+
AccessGrantsCredentials.new(
|
147
|
+
target: target,
|
148
|
+
account_id: account_id_for_access_grants(target, credentials),
|
149
|
+
permission: permission,
|
150
|
+
client: client
|
151
|
+
)
|
152
|
+
end
|
153
|
+
|
154
|
+
def account_id_for_access_grants(target, credentials)
|
155
|
+
if @caching
|
156
|
+
cached_account_id_for(target, credentials)
|
157
|
+
else
|
158
|
+
new_account_id_for(target, credentials)
|
159
|
+
end
|
160
|
+
end
|
161
|
+
|
162
|
+
def cached_account_id_for(target, credentials)
|
163
|
+
bucket = bucket_name_from(target)
|
164
|
+
|
165
|
+
if @account_id_cache.key?(bucket)
|
166
|
+
@account_id_cache[bucket]
|
167
|
+
else
|
168
|
+
@account_id_cache[bucket] = new_account_id_for(target, credentials)
|
169
|
+
end
|
170
|
+
end
|
171
|
+
|
172
|
+
# returns the account id associated with the access grants instance
|
173
|
+
def new_account_id_for(target, credentials)
|
174
|
+
bucket_region = bucket_region_for_access_grants(target)
|
175
|
+
s3_control_client = s3_control_client(bucket_region)
|
176
|
+
resp = s3_control_client.get_access_grants_instance_for_prefix(
|
177
|
+
s3_prefix: target,
|
178
|
+
account_id: account_id_for_credentials(bucket_region, credentials)
|
179
|
+
)
|
180
|
+
ARNParser.parse(resp.access_grants_instance_arn).account_id
|
181
|
+
end
|
182
|
+
|
183
|
+
def bucket_region_for_access_grants(target)
|
184
|
+
bucket = bucket_name_from(target)
|
185
|
+
# regardless of caching option, bucket region cache is always shared
|
186
|
+
cached_bucket_region_for(bucket)
|
187
|
+
end
|
188
|
+
|
189
|
+
def cached_bucket_region_for(bucket)
|
190
|
+
if @bucket_region_cache.key?(bucket)
|
191
|
+
@bucket_region_cache[bucket]
|
192
|
+
else
|
193
|
+
@bucket_region_cache[bucket] = new_bucket_region_for(bucket)
|
194
|
+
end
|
195
|
+
end
|
196
|
+
|
197
|
+
def new_bucket_region_for(bucket)
|
198
|
+
@s3_client.head_bucket(bucket: bucket).bucket_region
|
199
|
+
rescue Aws::S3::Errors::Http301Error => e
|
200
|
+
e.data.region
|
201
|
+
end
|
202
|
+
|
203
|
+
# returns the account id for the configured credentials
|
204
|
+
def account_id_for_credentials(region, credentials)
|
205
|
+
# use resolved credentials to check for account id
|
206
|
+
if credentials.respond_to?(:account_id) && credentials.account_id &&
|
207
|
+
!credentials.account_id.empty?
|
208
|
+
credentials.account_id
|
209
|
+
else
|
210
|
+
@sts_client ||= Aws::STS::Client.new(
|
211
|
+
credentials: s3_client.config.credentials,
|
212
|
+
region: region,
|
213
|
+
use_fips_endpoint: s3_client.config.use_fips_endpoint,
|
214
|
+
use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
|
215
|
+
)
|
216
|
+
@sts_client.get_caller_identity.account
|
217
|
+
end
|
218
|
+
end
|
219
|
+
|
220
|
+
def target_prefix(bucket, key, prefix)
|
221
|
+
if key && !key.empty?
|
222
|
+
"s3://#{bucket}/#{key}"
|
223
|
+
elsif prefix && !prefix.empty?
|
224
|
+
"s3://#{bucket}/#{prefix}"
|
225
|
+
else
|
226
|
+
"s3://#{bucket}/*"
|
227
|
+
end
|
228
|
+
end
|
229
|
+
|
230
|
+
def credentials_cache_key(target, permission, credentials)
|
231
|
+
"#{credentials.access_key_id}-#{credentials.secret_access_key}" \
|
232
|
+
"-#{permission}-#{target}"
|
233
|
+
end
|
234
|
+
|
235
|
+
# extracts bucket name from target prefix
|
236
|
+
def bucket_name_from(target)
|
237
|
+
URI(target).host
|
238
|
+
end
|
239
|
+
end
|
240
|
+
end
|
241
|
+
end
|