aws-sdk-s3 1.147.0 → 1.149.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a53a99ccca2522053de21bfdf31e17a700464dcc70688283d438b987b1e8098d
-  data.tar.gz: 2edaadc220c24d5d3493841421b9760c2202e7b14aa78e58eb6bb33554f46650
+  metadata.gz: d4d91f16763c42e349f2e6d50ff4f37926096c5148ae5f78b953685e4d2f171e
+  data.tar.gz: 2e72de55c5c10a86437e89200db3b357bb89f083ca5b1c044c20ed90143b66b4
 SHA512:
-  metadata.gz: 822936b8f7a5f6b51baa737b7628ef9e6c584bafca53d648c99684cb6db92b3a6fea98a91ddcce1b2479e7050cccb59045f062cc73f9d889911013684ba7b3df
-  data.tar.gz: 13107a5c2aa6fb081e943340433a72dabad53ee6800e841eff965662c135aac1307664ea855def95c610421886314148067972e6dd78f1f0dc9510671ccfa331
+  metadata.gz: '078c6651b2bc5d4c4cf9abb678303f3dc41250eb24ee66fcbbb22d9c96064dc8dbade173862964021948234fff6e9d38b4a9eb255949891fc047a0b06ac785f6'
+  data.tar.gz: d17a3204313a0977ee8f108c057fefbcbca80eb48e54e146274be01b9f2d9d4c33502cf2474c49fffe560d4a134d8e985a0f8db7a3f83ff533b898e725236473

data/CHANGELOG.md

@@ -1,6 +1,18 @@
 Unreleased Changes
 ------------------
 
+1.149.0 (2024-04-30)
+------------------
+
+* Feature - Support S3 Access Grants authentication. Access Grants can be enabled with the `access_grants` option, and custom options can be passed into the `access_grants_credentials_provider` option. This feature requires `aws-sdk-s3control` to be installed.
+
+* Feature - Add RBS signatures for customizations of S3.
+
+1.148.0 (2024-04-25)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
 1.147.0 (2024-04-16)
 ------------------
 
@@ -33,7 +45,6 @@ Unreleased Changes
 
 * Issue - Include original part errors in message when aborting multipart upload fails (#2990).
 
-
 1.143.0 (2024-01-26)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.147.0
+1.149.0

data/lib/aws-sdk-s3/access_grants_credentials.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'set'
+
+module Aws
+  module S3
+    # @api private
+    class AccessGrantsCredentials
+      include CredentialProvider
+      include RefreshingCredentials
+
+      def initialize(options = {})
+        @client = options[:client]
+        @get_data_access_params = {}
+        options.each_pair do |key, value|
+          if self.class.get_data_access_options.include?(key)
+            @get_data_access_params[key] = value
+          end
+        end
+        @async_refresh = true
+        super
+      end
+
+      # @return [S3Control::Client]
+      attr_reader :client
+
+      # @return [String]
+      attr_reader :matched_grant_target
+
+      private
+
+      def refresh
+        c = @client.get_data_access(@get_data_access_params)
+        credentials = c.credentials
+        @matched_grant_target = c.matched_grant_target
+        @credentials = Credentials.new(
+          credentials.access_key_id,
+          credentials.secret_access_key,
+          credentials.session_token
+        )
+        @expiration = credentials.expiration
+      end
+
+      class << self
+
+        # @api private
+        def get_data_access_options
+          @gdao ||= begin
+            input = Aws::S3Control::Client.api.operation(:get_data_access).input
+            Set.new(input.shape.member_names)
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/access_grants_credentials_provider.rb

@@ -0,0 +1,241 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    # @api private
+    def self.access_grants_credentials_cache
+      @access_grants_credentials_cache ||= LRUCache.new(max_entries: 100)
+    end
+
+    # @api private
+    def self.access_grants_account_id_cache
+      @access_grants_account_id_cache ||= LRUCache.new(
+        max_entries: 100,
+        expiration: 60 * 10
+      )
+    end
+
+    # Returns Credentials class for S3 Access Grants. Accepts GetDataAccess
+    # params and other configuration as options. See
+    # {Aws::S3Control::Client#get_data_access} for details.
+    class AccessGrantsCredentialsProvider
+      # @param [Hash] options
+      # @option options [Hash] :s3_control_client_options The S3 Control
+      #  client options used to create regional S3 Control clients to
+      #  create the session. Region will be set to the region of the
+      #  bucket.
+      # @option options [Aws::STS::Client] :sts_client The STS client used for
+      #  fetching the Account ID for the credentials if credentials do not
+      #  include an Account ID.
+      # @option options [Aws::S3::Client] :s3_client The S3 client used for
+      #  fetching the location of the bucket so that a regional S3 Control
+      #  client can be created. Defaults to the S3 client from the access
+      #  grants plugin.
+      # @option options [String] :privilege ('Default') The privilege to use
+      #  when requesting credentials. (see: {Aws::S3Control::Client#get_data_access})
+      # @option options [Boolean] :fallback (false) When true, if access is
+      #  denied, the provider will fall back to the configured credentials.
+      # @option options [Boolean] :caching (true) When true, credentials and
+      #  bucket account ids will be cached.
+      # @option options [Callable] :before_refresh Proc called before
+      #  credentials are refreshed.
+      def initialize(options = {})
+        @s3_control_options = options.delete(:s3_control_client_options) || {}
+        @s3_client = options.delete(:s3_client)
+        @sts_client = options.delete(:sts_client)
+        @fallback = options.delete(:fallback) || false
+        @caching = options.delete(:caching) != false
+        @s3_control_clients = {}
+        @bucket_region_cache = Aws::S3.bucket_region_cache
+        return unless @caching
+
+        @credentials_cache = Aws::S3.access_grants_credentials_cache
+        @account_id_cache = Aws::S3.access_grants_account_id_cache
+      end
+
+      def access_grants_credentials_for(options = {})
+        target = target_prefix(
+          options[:bucket],
+          options[:key],
+          options[:prefix]
+        )
+        credentials = s3_client.config.credentials.credentials # resolves
+
+        if @caching
+          cached_credentials_for(target, options[:permission], credentials)
+        else
+          new_credentials_for(target, options[:permission], credentials)
+        end
+      rescue Aws::S3Control::Errors::AccessDenied
+        raise unless @fallback
+
+        warn 'Access denied for S3 Access Grants. Falling back to ' \
+             'configured credentials.'
+        s3_client.config.credentials
+      end
+
+      attr_accessor :s3_client
+
+      private
+
+      def s3_control_client(bucket_region)
+        @s3_control_clients[bucket_region] ||= begin
+          credentials = s3_client.config.credentials
+          config = { credentials: credentials }.merge(@s3_control_options)
+          Aws::S3Control::Client.new(config.merge(
+            region: bucket_region,
+            use_fips_endpoint: s3_client.config.use_fips_endpoint,
+            use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
+          ))
+        end
+      end
+
+      def cached_credentials_for(target, permission, credentials)
+        cached_creds = broad_search_credentials_cache_prefix(target, permission, credentials)
+        return cached_creds if cached_creds
+
+        if %w[READ WRITE].include?(permission)
+          cached_creds = broad_search_credentials_cache_prefix(target, 'READWRITE', credentials)
+          return cached_creds if cached_creds
+        end
+
+        cached_creds = broad_search_credentials_cache_characters(target, permission, credentials)
+        return cached_creds if cached_creds
+
+        if %w[READ WRITE].include?(permission)
+          cached_creds = broad_search_credentials_cache_characters(target, 'READWRITE', credentials)
+          return cached_creds if cached_creds
+        end
+
+        creds = new_credentials_for(target, permission, credentials)
+        if creds.matched_grant_target.end_with?('*')
+          # remove /* from the end of the target
+          key = credentials_cache_key(creds.matched_grant_target[0...-2], permission, credentials)
+          @credentials_cache[key] = creds
+        end
+
+        creds
+      end
+
+      def broad_search_credentials_cache_prefix(target, permission, credentials)
+        prefix = target
+        while prefix != 's3:'
+          key = credentials_cache_key(prefix, permission, credentials)
+          return @credentials_cache[key] if @credentials_cache.key?(key)
+
+          prefix = prefix.split('/', -1)[0..-2].join('/')
+        end
+        nil
+      end
+
+      def broad_search_credentials_cache_characters(target, permission, credentials)
+        prefix = target
+        while prefix != 's3://'
+          key = credentials_cache_key("#{prefix}*", permission, credentials)
+          return @credentials_cache[key] if @credentials_cache.key?(key)
+
+          prefix = prefix[0..-2]
+        end
+        nil
+      end
+
+      def new_credentials_for(target, permission, credentials)
+        bucket_region = bucket_region_for_access_grants(target)
+        client = s3_control_client(bucket_region)
+
+        AccessGrantsCredentials.new(
+          target: target,
+          account_id: account_id_for_access_grants(target, credentials),
+          permission: permission,
+          client: client
+        )
+      end
+
+      def account_id_for_access_grants(target, credentials)
+        if @caching
+          cached_account_id_for(target, credentials)
+        else
+          new_account_id_for(target, credentials)
+        end
+      end
+
+      def cached_account_id_for(target, credentials)
+        bucket = bucket_name_from(target)
+
+        if @account_id_cache.key?(bucket)
+          @account_id_cache[bucket]
+        else
+          @account_id_cache[bucket] = new_account_id_for(target, credentials)
+        end
+      end
+
+      # returns the account id associated with the access grants instance
+      def new_account_id_for(target, credentials)
+        bucket_region = bucket_region_for_access_grants(target)
+        s3_control_client = s3_control_client(bucket_region)
+        resp = s3_control_client.get_access_grants_instance_for_prefix(
+          s3_prefix: target,
+          account_id: account_id_for_credentials(bucket_region, credentials)
+        )
+        ARNParser.parse(resp.access_grants_instance_arn).account_id
+      end
+
+      def bucket_region_for_access_grants(target)
+        bucket = bucket_name_from(target)
+        # regardless of caching option, bucket region cache is always shared
+        cached_bucket_region_for(bucket)
+      end
+
+      def cached_bucket_region_for(bucket)
+        if @bucket_region_cache.key?(bucket)
+          @bucket_region_cache[bucket]
+        else
+          @bucket_region_cache[bucket] = new_bucket_region_for(bucket)
+        end
+      end
+
+      def new_bucket_region_for(bucket)
+        @s3_client.head_bucket(bucket: bucket).bucket_region
+      rescue Aws::S3::Errors::Http301Error => e
+        e.data.region
+      end
+
+      # returns the account id for the configured credentials
+      def account_id_for_credentials(region, credentials)
+        # use resolved credentials to check for account id
+        if credentials.respond_to?(:account_id) && credentials.account_id &&
+           !credentials.account_id.empty?
+          credentials.account_id
+        else
+          @sts_client ||= Aws::STS::Client.new(
+            credentials: s3_client.config.credentials,
+            region: region,
+            use_fips_endpoint: s3_client.config.use_fips_endpoint,
+            use_dualstack_endpoint: s3_client.config.use_dualstack_endpoint
+          )
+          @sts_client.get_caller_identity.account
+        end
+      end
+
+      def target_prefix(bucket, key, prefix)
+        if key && !key.empty?
+          "s3://#{bucket}/#{key}"
+        elsif prefix && !prefix.empty?
+          "s3://#{bucket}/#{prefix}"
+        else
+          "s3://#{bucket}/*"
+        end
+      end
+
+      def credentials_cache_key(target, permission, credentials)
+        "#{credentials.access_key_id}-#{credentials.secret_access_key}" \
+        "-#{permission}-#{target}"
+      end
+
+      # extracts bucket name from target prefix
+      def bucket_name_from(target)
+        URI(target).host
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/bucket_region_cache.rb

@@ -15,7 +15,7 @@ module Aws
       # Registers a block as a callback. This listener is called when a
       # new bucket/region pair is added to the cache.
       #
-      #     S3::BUCKET_REGIONS.bucket_added do |bucket_name, region_name|
+      #     Aws::S3.bucket_region_cache.bucket_added do |bucket_name, region_name|
       #       # ...
       #     end
       #
@@ -59,6 +59,14 @@ module Aws
         end
       end
 
+      # @param [String] key
+      # @return [Boolean]
+      def key?(key)
+        @mutex.synchronize do
+          @regions.key?(key)
+        end
+      end
+
       # @api private
       def clear
         @mutex.synchronize { @regions = {} }
@@ -73,9 +81,5 @@ module Aws
       alias to_h to_hash
 
     end
-
-    # @api private
-    BUCKET_REGIONS = BucketRegionCache.new
-
   end
 end

data/lib/aws-sdk-s3/client.rb

@@ -22,6 +22,7 @@ require 'aws-sdk-core/plugins/endpoint_pattern.rb'
 require 'aws-sdk-core/plugins/response_paging.rb'
 require 'aws-sdk-core/plugins/stub_responses.rb'
 require 'aws-sdk-core/plugins/idempotency_token.rb'
+require 'aws-sdk-core/plugins/invocation_id.rb'
 require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
 require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
 require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
@@ -34,6 +35,7 @@ require 'aws-sdk-core/plugins/recursion_detection.rb'
 require 'aws-sdk-core/plugins/sign.rb'
 require 'aws-sdk-core/plugins/protocols/rest_xml.rb'
 require 'aws-sdk-s3/plugins/accelerate.rb'
+require 'aws-sdk-s3/plugins/access_grants.rb'
 require 'aws-sdk-s3/plugins/arn.rb'
 require 'aws-sdk-s3/plugins/bucket_dns.rb'
 require 'aws-sdk-s3/plugins/bucket_name_restrictions.rb'
@@ -92,6 +94,7 @@ module Aws::S3
     add_plugin(Aws::Plugins::ResponsePaging)
     add_plugin(Aws::Plugins::StubResponses)
     add_plugin(Aws::Plugins::IdempotencyToken)
+    add_plugin(Aws::Plugins::InvocationId)
     add_plugin(Aws::Plugins::JsonvalueConverter)
     add_plugin(Aws::Plugins::ClientMetricsPlugin)
     add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
@@ -104,6 +107,7 @@ module Aws::S3
     add_plugin(Aws::Plugins::Sign)
     add_plugin(Aws::Plugins::Protocols::RestXml)
     add_plugin(Aws::S3::Plugins::Accelerate)
+    add_plugin(Aws::S3::Plugins::AccessGrants)
     add_plugin(Aws::S3::Plugins::ARN)
     add_plugin(Aws::S3::Plugins::BucketDns)
     add_plugin(Aws::S3::Plugins::BucketNameRestrictions)
@@ -184,6 +188,16 @@ module Aws::S3
     #     * `~/.aws/credentials`
     #     * `~/.aws/config`
     #
+    #   @option options [Boolean] :access_grants (false)
+    #     When `true`, the S3 client will use the S3 Access Grants feature to
+    #     authenticate requests. Bucket credentials will be fetched from S3
+    #     Control using the `get_data_access` API.
+    #
+    #   @option options [Aws::S3::AccessGrantsCredentialsProvider] :access_grants_credentials_provider
+    #     When `access_grants` is `true`, this option can be used to provide
+    #     additional options to the credentials provider, including a privilege
+    #     setting, caching, and fallback behavior.
+    #
     #   @option options [String] :access_key_id
     #
     #   @option options [Boolean] :active_endpoint_cache (false)
@@ -246,10 +260,17 @@ module Aws::S3
     #   @option options [Boolean] :disable_s3_express_session_auth
     #     Parameter to indicate whether S3Express session auth should be disabled
     #
-    #   @option options [String] :endpoint
-    #     The client endpoint is normally constructed from the `:region`
-    #     option. You should only configure an `:endpoint` when connecting
-    #     to test or custom endpoints. This should be a valid HTTP(S) URI.
+    #   @option options [String, URI::HTTPS, URI::HTTP] :endpoint
+    #     Normally you should not configure the `:endpoint` option
+    #     directly. This is normally constructed from the `:region`
+    #     option. Configuring `:endpoint` is normally reserved for
+    #     connecting to test or custom endpoints. The endpoint should
+    #     be a URI formatted like:
+    #
+    #         'http://example.com'
+    #         'https://example.com'
+    #         'http://example.com:123'
+    #
     #
     #   @option options [Integer] :endpoint_cache_max_entries (1000)
     #     Used for the maximum size limit of the LRU cache storing endpoints data
@@ -432,50 +453,65 @@ module Aws::S3
     #   @option options [Aws::S3::EndpointProvider] :endpoint_provider
     #     The endpoint provider used to resolve endpoints. Any object that responds to `#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::S3::EndpointParameters`
     #
-    #   @option options [URI::HTTP,String] :http_proxy A proxy to send
-    #     requests through.  Formatted like 'http://proxy.com:123'.
-    #
-    #   @option options [Float] :http_open_timeout (15) The number of
-    #     seconds to wait when opening a HTTP session before raising a
-    #     `Timeout::Error`.
-    #
-    #   @option options [Float] :http_read_timeout (60) The default
-    #     number of seconds to wait for response data.  This value can
-    #     safely be set per-request on the session.
-    #
-    #   @option options [Float] :http_idle_timeout (5) The number of
-    #     seconds a connection is allowed to sit idle before it is
-    #     considered stale.  Stale connections are closed and removed
-    #     from the pool before making a request.
-    #
-    #   @option options [Float] :http_continue_timeout (1) The number of
-    #     seconds to wait for a 100-continue response before sending the
-    #     request body.  This option has no effect unless the request has
-    #     "Expect" header set to "100-continue".  Defaults to `nil` which
-    #     disables this behaviour.  This value can safely be set per
-    #     request on the session.
-    #
-    #   @option options [Float] :ssl_timeout (nil) Sets the SSL timeout
-    #     in seconds.
-    #
-    #   @option options [Boolean] :http_wire_trace (false) When `true`,
-    #     HTTP debug output will be sent to the `:logger`.
+    #   @option options [Float] :http_continue_timeout (1)
+    #     The number of seconds to wait for a 100-continue response before sending the
+    #     request body.  This option has no effect unless the request has "Expect"
+    #     header set to "100-continue".  Defaults to `nil` which  disables this
+    #     behaviour.  This value can safely be set per request on the session.
+    #
+    #   @option options [Float] :http_idle_timeout (5)
+    #     The number of seconds a connection is allowed to sit idle before it
+    #     is considered stale.  Stale connections are closed and removed from the
+    #     pool before making a request.
+    #
+    #   @option options [Float] :http_open_timeout (15)
+    #     The default number of seconds to wait for response data.
+    #     This value can safely be set per-request on the session.
+    #
+    #   @option options [URI::HTTP,String] :http_proxy
+    #     A proxy to send requests through.  Formatted like 'http://proxy.com:123'.
+    #
+    #   @option options [Float] :http_read_timeout (60)
+    #     The default number of seconds to wait for response data.
+    #     This value can safely be set per-request on the session.
+    #
+    #   @option options [Boolean] :http_wire_trace (false)
+    #     When `true`,  HTTP debug output will be sent to the `:logger`.
+    #
+    #   @option options [Proc] :on_chunk_received
+    #     When a Proc object is provided, it will be used as callback when each chunk
+    #     of the response body is received. It provides three arguments: the chunk,
+    #     the number of bytes received, and the total number of
+    #     bytes in the response (or nil if the server did not send a `content-length`).
+    #
+    #   @option options [Proc] :on_chunk_sent
+    #     When a Proc object is provided, it will be used as callback when each chunk
+    #     of the request body is sent. It provides three arguments: the chunk,
+    #     the number of bytes read from the body, and the total number of
+    #     bytes in the body.
+    #
+    #   @option options [Boolean] :raise_response_errors (true)
+    #     When `true`, response errors are raised.
+    #
+    #   @option options [String] :ssl_ca_bundle
+    #     Full path to the SSL certificate authority bundle file that should be used when
+    #     verifying peer certificates.  If you do not pass `:ssl_ca_bundle` or
+    #     `:ssl_ca_directory` the the system default will be used if available.
+    #
+    #   @option options [String] :ssl_ca_directory
+    #     Full path of the directory that contains the unbundled SSL certificate
+    #     authority files for verifying peer certificates.  If you do
+    #     not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the system
+    #     default will be used if available.
     #
-    #   @option options [Boolean] :ssl_verify_peer (true) When `true`,
-    #     SSL peer certificates are verified when establishing a
-    #     connection.
+    #   @option options [String] :ssl_ca_store
+    #     Sets the X509::Store to verify peer certificate.
     #
-    #   @option options [String] :ssl_ca_bundle Full path to the SSL
-    #     certificate authority bundle file that should be used when
-    #     verifying peer certificates.  If you do not pass
-    #     `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default
-    #     will be used if available.
+    #   @option options [Float] :ssl_timeout
+    #     Sets the SSL timeout in seconds
     #
-    #   @option options [String] :ssl_ca_directory Full path of the
-    #     directory that contains the unbundled SSL certificate
-    #     authority files for verifying peer certificates.  If you do
-    #     not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the
-    #     system default will be used if available.
+    #   @option options [Boolean] :ssl_verify_peer (true)
+    #     When `true`, SSL peer certificates are verified when establishing a connection.
     #
     def initialize(*args)
       super
@@ -17206,22 +17242,22 @@ module Aws::S3
     #
     # @example EventStream Operation Example
     #
-    #   You can process event once it arrives immediately, or wait until
-    #   full response complete and iterate through eventstream enumerator.
+    #   You can process the event once it arrives immediately, or wait until the
+    #   full response is complete and iterate through the eventstream enumerator.
     #
     #   To interact with event immediately, you need to register #select_object_content
-    #   with callbacks, callbacks can be register for specifc events or for all events,
-    #   callback for errors in the event stream is also available for register.
+    #   with callbacks. Callbacks can be registered for specific events or for all
+    #   events, including error events.
     #
-    #   Callbacks can be passed in by `:event_stream_handler` option or within block
-    #   statement attached to #select_object_content call directly. Hybrid pattern of both
-    #   is also supported.
+    #   Callbacks can be passed into the `:event_stream_handler` option or within a
+    #   block statement attached to the #select_object_content call directly. Hybrid
+    #   pattern of both is also supported.
     #
-    #   `:event_stream_handler` option takes in either Proc object or
+    #   `:event_stream_handler` option takes in either a Proc object or
     #   Aws::S3::EventStreams::SelectObjectContentEventStream object.
     #
-    #   Usage pattern a): callbacks with a block attached to #select_object_content
-    #     Example for registering callbacks for all event types and error event
+    #   Usage pattern a): Callbacks with a block attached to #select_object_content
+    #     Example for registering callbacks for all event types and an error event
     #
     #     client.select_object_content( # params input# ) do |stream|
     #       stream.on_error_event do |event|
@@ -17241,9 +17277,9 @@ module Aws::S3
     #
     #     end
     #
-    #   Usage pattern b): pass in `:event_stream_handler` for #select_object_content
+    #   Usage pattern b): Pass in `:event_stream_handler` for #select_object_content
     #
-    #     1) create a Aws::S3::EventStreams::SelectObjectContentEventStream object
+    #     1) Create a Aws::S3::EventStreams::SelectObjectContentEventStream object
     #     Example for registering callbacks with specific events
     #
     #       handler = Aws::S3::EventStreams::SelectObjectContentEventStream.new
@@ -17265,7 +17301,7 @@ module Aws::S3
     #
     #     client.select_object_content( # params input #, event_stream_handler: handler)
     #
-    #     2) use a Ruby Proc object
+    #     2) Use a Ruby Proc object
     #     Example for registering callbacks with specific events
     #
     #     handler = Proc.new do |stream|
@@ -17288,7 +17324,7 @@ module Aws::S3
     #
     #     client.select_object_content( # params input #, event_stream_handler: handler)
     #
-    #   Usage pattern c): hybird pattern of a) and b)
+    #   Usage pattern c): Hybrid pattern of a) and b)
     #
     #       handler = Aws::S3::EventStreams::SelectObjectContentEventStream.new
     #       handler.on_records_event do |event|
@@ -17318,8 +17354,7 @@ module Aws::S3
     #       end
     #     end
     #
-    #   Besides above usage patterns for process events when they arrive immediately, you can also
-    #   iterate through events after response complete.
+    #   You can also iterate through events after the response complete.
     #
     #   Events are available at resp.payload # => Enumerator
     #   For parameter input example, please refer to following request syntax
@@ -18792,7 +18827,7 @@ module Aws::S3
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-s3'
-      context[:gem_version] = '1.147.0'
+      context[:gem_version] = '1.149.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-s3/customizations/errors.rb

@@ -3,8 +3,8 @@
 module Aws
   module S3
     module Errors
-      # Hijack PermanentRedirect dynamic error to also include endpoint
-      # and bucket.
+      # Hijack PermanentRedirect dynamic error to include the bucket, region,
+      # and endpoint.
       class PermanentRedirect < ServiceError
         # @param [Seahorse::Client::RequestContext] context
         # @param [String] message
@@ -22,6 +22,19 @@ module Aws
           super(context, message, data)
         end
       end
+
+      # Hijack PermanentRedirect (HeadBucket case - no body) dynamic error to
+      # include the region.
+      class Http301Error < ServiceError
+        # @param [Seahorse::Client::RequestContext] context
+        # @param [String] message
+        # @param [Aws::S3::Types::PermanentRedirect] _data
+        def initialize(context, message, _data = Aws::EmptyStructure.new)
+          data = Aws::S3::Types::PermanentRedirect.new(message: message)
+          data.region = context.http_response.headers['x-amz-bucket-region']
+          super(context, message, data)
+        end
+      end
     end
   end
 end

data/lib/aws-sdk-s3/customizations.rb

@@ -18,9 +18,12 @@ require 'aws-sdk-s3/presigner'
 
 # s3 express session auth
 require 'aws-sdk-s3/express_credentials'
-require 'aws-sdk-s3/express_credentials_cache'
 require 'aws-sdk-s3/express_credentials_provider'
 
+# s3 access grants auth
+require 'aws-sdk-s3/access_grants_credentials'
+require 'aws-sdk-s3/access_grants_credentials_provider'
+
 # customizations to generated classes
 require 'aws-sdk-s3/customizations/bucket'
 require 'aws-sdk-s3/customizations/errors'

data/lib/aws-sdk-s3/express_credentials_provider.rb

@@ -2,30 +2,53 @@
 
 module Aws
   module S3
+    # @api private
+    def self.express_credentials_cache
+      @express_credentials_cache ||= LRUCache.new(max_entries: 100)
+    end
+
     # Returns Credentials class for S3 Express. Accepts CreateSession
     # params as options. See {Client#create_session} for details.
     class ExpressCredentialsProvider
       # @param [Hash] options
-      # @option options [Client] :client The S3 client used to create the session.
+      # @option options [Client] :client The S3 client used to create the
+      #  session.
       # @option options [String] :session_mode (see: {Client#create_session})
+      # @option options [Boolean] :caching (true) When true, credentials will
+      #  be cached.
       # @option options [Callable] :before_refresh Proc called before
       #   credentials are refreshed.
       def initialize(options = {})
         @client = options.delete(:client)
+        @caching = options.delete(:caching) != false
         @options = options
-        @cache = EXPRESS_CREDENTIALS_CACHE
+        return unless @caching
+
+        @cache = Aws::S3.express_credentials_cache
       end
 
       def express_credentials_for(bucket)
-        @cache[bucket] || new_credentials_for(bucket)
+        if @caching
+          cached_credentials_for(bucket)
+        else
+          new_credentials_for(bucket)
+        end
       end
 
       attr_accessor :client
 
       private
 
+      def cached_credentials_for(bucket)
+        if @cache.key?(bucket)
+          @cache[bucket]
+        else
+          @cache[bucket] = new_credentials_for(bucket)
+        end
+      end
+
       def new_credentials_for(bucket)
-        @cache[bucket] = ExpressCredentials.new(
+        ExpressCredentials.new(
           bucket: bucket,
           client: @client,
           **@options

data/lib/aws-sdk-s3/plugins/access_grants.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module Aws
+  module S3
+    module Plugins
+      # @api private
+      class AccessGrants < Seahorse::Client::Plugin
+        @s3control =
+          begin
+            require 'aws-sdk-s3control'
+            true
+          rescue LoadError
+            false
+          end
+
+        option(
+          :access_grants,
+          default: false,
+          doc_type: 'Boolean',
+          docstring: <<-DOCS)
+When `true`, the S3 client will use the S3 Access Grants feature to
+authenticate requests. Bucket credentials will be fetched from S3
+Control using the `get_data_access` API.
+          DOCS
+
+        option(:access_grants_credentials_provider,
+          doc_type: 'Aws::S3::AccessGrantsCredentialsProvider',
+          rbs_type: 'untyped',
+          docstring: <<-DOCS) do |_cfg|
+When `access_grants` is `true`, this option can be used to provide
+additional options to the credentials provider, including a privilege
+setting, caching, and fallback behavior.
+          DOCS
+          Aws::S3::AccessGrantsCredentialsProvider.new
+        end
+
+        # @api private
+        class Handler < Seahorse::Client::Handler
+          PERMISSION_MAP = {
+            head_object: 'READ',
+            get_object: 'READ',
+            get_object_acl: 'READ',
+            list_multipart_uploads: 'READ',
+            list_objects_v2: 'READ',
+            list_object_versions: 'READ',
+            list_parts: 'READ',
+            put_object: 'WRITE',
+            put_object_acl: 'WRITE',
+            delete_object: 'WRITE',
+            abort_multipart_upload: 'WRITE',
+            create_multipart_upload: 'WRITE',
+            upload_part: 'WRITE',
+            complete_multipart_upload: 'WRITE'
+          }.freeze
+
+          def call(context)
+            if access_grants_operation?(context) &&
+               !s3_express_endpoint?(context)
+              params = context[:endpoint_params]
+              permission = PERMISSION_MAP[context.operation_name]
+
+              provider = context.config.access_grants_credentials_provider
+              credentials = provider.access_grants_credentials_for(
+                bucket: params[:bucket],
+                key: params[:key],
+                prefix: params[:prefix],
+                permission: permission
+              )
+              context[:sigv4_credentials] = credentials # Sign will use this
+            end
+
+            @handler.call(context)
+          end
+
+          private
+
+          def access_grants_operation?(context)
+            params = context[:endpoint_params]
+            params[:bucket] && PERMISSION_MAP[context.operation_name]
+          end
+
+          def s3_express_endpoint?(context)
+            context[:endpoint_properties]['backend'] == 'S3Express'
+          end
+        end
+
+        def add_handlers(handlers, config)
+          return unless AccessGrants.s3control? && config.access_grants
+
+          handlers.add(Handler)
+        end
+
+        def after_initialize(client)
+          return unless AccessGrants.s3control? && client.config.access_grants
+
+          provider = client.config.access_grants_credentials_provider
+          provider.s3_client = client unless provider.s3_client
+        end
+
+        class << self
+          def s3control?
+            @s3control
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-s3/plugins/express_session_auth.rb

@@ -31,7 +31,7 @@ for different buckets.
           def call(context)
             if (props = context[:endpoint_properties])
               # S3 Express endpoint - turn off md5 and enable crc32 default
-              if (backend = props['backend']) && backend == 'S3Express'
+              if props['backend'] == 'S3Express'
                 if context.operation_name == :put_object || checksum_required?(context)
                   context[:default_request_checksum_algorithm] = 'CRC32'
                 end

data/lib/aws-sdk-s3/plugins/s3_signer.rb

@@ -4,6 +4,11 @@ require 'aws-sigv4'
 
 module Aws
   module S3
+    # @api private
+    def self.bucket_region_cache
+      @bucket_region_cache ||= BucketRegionCache.new
+    end
+
     module Plugins
       # This plugin used to have a V4 signer but it was removed in favor of
       # generic Sign plugin that uses endpoint auth scheme.
@@ -51,7 +56,7 @@ module Aws
           private
 
           def check_for_cached_region(context, bucket)
-            cached_region = S3::BUCKET_REGIONS[bucket]
+            cached_region = Aws::S3.bucket_region_cache[bucket]
             if cached_region &&
                cached_region != context.config.region &&
                !S3Signer.custom_endpoint?(context)
@@ -97,7 +102,7 @@ module Aws
           end
 
           def update_bucket_cache(context, actual_region)
-            S3::BUCKET_REGIONS[context.params[:bucket]] = actual_region
+            Aws::S3.bucket_region_cache[context.params[:bucket]] = actual_region
           end
 
           def fips_region?(resp)

data/lib/aws-sdk-s3/presigner.rb

@@ -200,6 +200,7 @@ module Aws
         req.handlers.remove(Aws::Plugins::Sign::Handler)
         req.handlers.remove(Seahorse::Client::Plugins::ContentLength::Handler)
         req.handlers.remove(Aws::Rest::ContentTypeHandler)
+        req.handlers.remove(Aws::Plugins::InvocationId::Handler)
 
         req.handle(step: :send) do |context|
           # if an endpoint was not provided, force secure or insecure

data/lib/aws-sdk-s3.rb

@@ -73,6 +73,6 @@ require_relative 'aws-sdk-s3/event_streams'
 # @!group service
 module Aws::S3
 
-  GEM_VERSION = '1.147.0'
+  GEM_VERSION = '1.149.0'
 
 end

data/sig/client.rbs

@@ -14,6 +14,8 @@ module Aws
       def self.new: (
                       ?credentials: untyped,
                       ?region: String,
+                      ?access_grants: bool,
+                      ?access_grants_credentials_provider: untyped,
                       ?access_key_id: String,
                       ?active_endpoint_cache: bool,
                       ?adaptive_retry_wait_to_fill: bool,

data/sig/customizations/bucket.rbs

@@ -0,0 +1,19 @@
+module Aws
+  module S3
+    class Bucket
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Bucket.html#clear!-instance_method
+      def clear!: () -> void
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Bucket.html#delete!-instance_method
+      def delete!: (?max_attempts: ::Integer, ?initial_wait: ::Float) -> void
+                 | (?Hash[Symbol, untyped]) -> void
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Bucket.html#url-instance_method
+      def url: (?virtual_host: boolish, ?secure: boolish) -> String
+             | (?Hash[Symbol, untyped]) -> String
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Bucket.html#presigned_post-instance_method
+      def presigned_post: (Hash[Symbol, untyped]) -> untyped
+    end
+  end
+end

data/sig/customizations/object.rbs

@@ -0,0 +1,38 @@
+module Aws
+  module S3
+    class Object
+      alias size content_length
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#copy_from-instance_method
+      def copy_from: (untyped source, ?Hash[Symbol, untyped] options) -> void
+                   | ...
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#copy_to-instance_method
+      def copy_to: (untyped target, ?Hash[Symbol, untyped] options) -> void
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#move_to-instance_method
+      def move_to: (untyped target, ?Hash[Symbol, untyped] options) -> void
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#presigned_post-instance_method
+      def presigned_post: (?Hash[Symbol, untyped]) -> untyped
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#presigned_url-instance_method
+      def presigned_url: (Symbol | String method, ?Hash[Symbol, untyped] params) -> String
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#presigned_request-instance_method
+      def presigned_request: (Symbol | String method, ?Hash[Symbol, untyped] params) -> [String, Hash[String, String]]
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#public_url-instance_method
+      def public_url: (?Hash[Symbol, untyped] options) -> String
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#upload_stream-instance_method
+      def upload_stream: (?Hash[Symbol, untyped] options) { (IO write_stream) -> void } -> bool
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#upload_file-instance_method
+      def upload_file: (untyped source, ?Hash[Symbol, untyped] options) ?{ (untyped response) -> void } -> bool
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Object.html#download_file-instance_method
+      def download_file: (String destination, ?Hash[Symbol, untyped] options) -> bool
+    end
+  end
+end

data/sig/customizations/object_summary.rbs

@@ -0,0 +1,35 @@
+module Aws
+  module S3
+    class ObjectSummary
+      alias content_length size
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#copy_from-instance_method
+      def copy_from: (untyped source, ?Hash[Symbol, untyped] options) -> void
+                   | ...
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#copy_to-instance_method
+      def copy_to: (untyped target, ?Hash[Symbol, untyped] options) -> void
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#move_to-instance_method
+      def move_to: (untyped target, ?Hash[Symbol, untyped] options) -> void
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#presigned_post-instance_method
+      def presigned_post: (Hash[Symbol, untyped]) -> untyped
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#presigned_url-instance_method
+      def presigned_url: (Symbol | String method, ?Hash[Symbol, untyped] params) -> String
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#public_url-instance_method
+      def public_url: (?Hash[Symbol, untyped] options) -> String
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#upload_file-instance_method
+      def upload_file: (untyped source, ?Hash[Symbol, untyped] options) ?{ (untyped response) -> void } -> bool
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#upload_stream-instance_method
+      def upload_stream: (?Hash[Symbol, untyped] options) { (IO write_stream) -> void } -> bool
+
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/ObjectSummary.html#download_file-instance_method
+      def download_file: (String destination, ?Hash[Symbol, untyped] options) -> bool
+    end
+  end
+end

data/sig/resource.rbs

@@ -14,6 +14,8 @@ module Aws
                         ?client: Client,
                         ?credentials: untyped,
                         ?region: String,
+                        ?access_grants: bool,
+                        ?access_grants_credentials_provider: untyped,
                         ?access_key_id: String,
                         ?active_endpoint_cache: bool,
                         ?adaptive_retry_wait_to_fill: bool,

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-s3
 version: !ruby/object:Gem::Version
-  version: 1.147.0
+  version: 1.149.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-04-16 00:00:00.000000000 Z
+date: 2024-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-kms
@@ -47,7 +47,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.192.0
+        version: 3.194.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -57,7 +57,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.192.0
+        version: 3.194.0
 description: Official AWS Ruby gem for Amazon Simple Storage Service (Amazon S3).
   This gem is part of the AWS SDK for Ruby.
 email:
@@ -70,6 +70,8 @@ files:
 - LICENSE.txt
 - VERSION
 - lib/aws-sdk-s3.rb
+- lib/aws-sdk-s3/access_grants_credentials.rb
+- lib/aws-sdk-s3/access_grants_credentials_provider.rb
 - lib/aws-sdk-s3/bucket.rb
 - lib/aws-sdk-s3/bucket_acl.rb
 - lib/aws-sdk-s3/bucket_cors.rb
@@ -127,7 +129,6 @@ files:
 - lib/aws-sdk-s3/errors.rb
 - lib/aws-sdk-s3/event_streams.rb
 - lib/aws-sdk-s3/express_credentials.rb
-- lib/aws-sdk-s3/express_credentials_cache.rb
 - lib/aws-sdk-s3/express_credentials_provider.rb
 - lib/aws-sdk-s3/file_downloader.rb
 - lib/aws-sdk-s3/file_part.rb
@@ -145,6 +146,7 @@ files:
 - lib/aws-sdk-s3/object_summary.rb
 - lib/aws-sdk-s3/object_version.rb
 - lib/aws-sdk-s3/plugins/accelerate.rb
+- lib/aws-sdk-s3/plugins/access_grants.rb
 - lib/aws-sdk-s3/plugins/arn.rb
 - lib/aws-sdk-s3/plugins/bucket_dns.rb
 - lib/aws-sdk-s3/plugins/bucket_name_restrictions.rb
@@ -182,6 +184,9 @@ files:
 - sig/bucket_versioning.rbs
 - sig/bucket_website.rbs
 - sig/client.rbs
+- sig/customizations/bucket.rbs
+- sig/customizations/object.rbs
+- sig/customizations/object_summary.rbs
 - sig/errors.rbs
 - sig/multipart_upload.rbs
 - sig/multipart_upload_part.rbs

data/lib/aws-sdk-s3/express_credentials_cache.rb

@@ -1,30 +0,0 @@
-# frozen_string_literal: true
-
-module Aws
-  module S3
-    # @api private
-    class ExpressCredentialsCache
-      def initialize
-        @credentials = {}
-        @mutex = Mutex.new
-      end
-
-      def [](bucket_name)
-        @mutex.synchronize { @credentials[bucket_name] }
-      end
-
-      def []=(bucket_name, credential_provider)
-        @mutex.synchronize do
-          @credentials[bucket_name] = credential_provider
-        end
-      end
-
-      def clear
-        @mutex.synchronize { @credentials = {} }
-      end
-    end
-
-    # @api private
-    EXPRESS_CREDENTIALS_CACHE = ExpressCredentialsCache.new
-  end
-end