aws-sdk-s3 1.86.2 → 1.116.0

data/lib/aws-sdk-s3/object_version.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -56,6 +56,12 @@ module Aws::S3
       data[:etag]
     end
 
+    # The algorithm that was used to create a checksum of the object.
+    # @return [Array<String>]
+    def checksum_algorithm
+      data[:checksum_algorithm]
+    end
+
     # Size in bytes of the object.
     # @return [Integer]
     def size
@@ -245,20 +251,21 @@ module Aws::S3
     # @option options [String] :request_payer
     #   Confirms that the requester knows that they will be charged for the
     #   request. Bucket owners need not specify this parameter in their
-    #   requests. For information about downloading objects from requester
-    #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   requests. For information about downloading objects from Requester
+    #   Pays buckets, see [Downloading Objects in Requester Pays Buckets][1]
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
     # @option options [Boolean] :bypass_governance_retention
     #   Indicates whether S3 Object Lock should bypass Governance-mode
-    #   restrictions to process this operation.
+    #   restrictions to process this operation. To use this header, you must
+    #   have the `s3:BypassGovernanceRetention` permission.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
-    #   a different account, the request will fail with an HTTP `403 (Access
-    #   Denied)` error.
+    #   The account ID of the expected bucket owner. If the bucket is owned by
+    #   a different account, the request fails with the HTTP status code `403
+    #   Forbidden` (access denied).
     # @return [Types::DeleteObjectOutput]
     def delete(options = {})
       options = options.merge(
@@ -290,20 +297,21 @@ module Aws::S3
     #     request_payer: "requester", # accepts requester
     #     part_number: 1,
     #     expected_bucket_owner: "AccountId",
+    #     checksum_mode: "ENABLED", # accepts ENABLED
     #   })
     # @param [Hash] options ({})
     # @option options [String] :if_match
     #   Return the object only if its entity tag (ETag) is the same as the one
-    #   specified, otherwise return a 412 (precondition failed).
+    #   specified; otherwise, return a 412 (precondition failed) error.
     # @option options [Time,DateTime,Date,Integer,String] :if_modified_since
     #   Return the object only if it has been modified since the specified
-    #   time, otherwise return a 304 (not modified).
+    #   time; otherwise, return a 304 (not modified) error.
     # @option options [String] :if_none_match
     #   Return the object only if its entity tag (ETag) is different from the
-    #   one specified, otherwise return a 304 (not modified).
+    #   one specified; otherwise, return a 304 (not modified) error.
     # @option options [Time,DateTime,Date,Integer,String] :if_unmodified_since
     #   Return the object only if it has not been modified since the specified
-    #   time, otherwise return a 412 (precondition failed).
+    #   time; otherwise, return a 412 (precondition failed) error.
     # @option options [String] :range
     #   Downloads the specified range bytes of an object. For more information
     #   about the HTTP Range header, see
@@ -330,13 +338,13 @@ module Aws::S3
     # @option options [Time,DateTime,Date,Integer,String] :response_expires
     #   Sets the `Expires` header of the response.
     # @option options [String] :sse_customer_algorithm
-    #   Specifies the algorithm to use to when encrypting the object (for
+    #   Specifies the algorithm to use to when decrypting the object (for
     #   example, AES256).
     # @option options [String] :sse_customer_key
-    #   Specifies the customer-provided encryption key for Amazon S3 to use in
-    #   encrypting data. This value is used to store the object and then it is
-    #   discarded; Amazon S3 does not store the encryption key. The key must
-    #   be appropriate for use with the algorithm specified in the
+    #   Specifies the customer-provided encryption key for Amazon S3 used to
+    #   encrypt the data. This value is used to decrypt the object when
+    #   recovering it and must match the one used when storing the data. The
+    #   key must be appropriate for use with the algorithm specified in the
     #   `x-amz-server-side-encryption-customer-algorithm` header.
     # @option options [String] :sse_customer_key_md5
     #   Specifies the 128-bit MD5 digest of the encryption key according to
@@ -345,9 +353,9 @@ module Aws::S3
     # @option options [String] :request_payer
     #   Confirms that the requester knows that they will be charged for the
     #   request. Bucket owners need not specify this parameter in their
-    #   requests. For information about downloading objects from requester
-    #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   requests. For information about downloading objects from Requester
+    #   Pays buckets, see [Downloading Objects in Requester Pays Buckets][1]
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -358,9 +366,11 @@ module Aws::S3
     #   for the part specified. Useful for downloading just a part of an
     #   object.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
-    #   a different account, the request will fail with an HTTP `403 (Access
-    #   Denied)` error.
+    #   The account ID of the expected bucket owner. If the bucket is owned by
+    #   a different account, the request fails with the HTTP status code `403
+    #   Forbidden` (access denied).
+    # @option options [String] :checksum_mode
+    #   To retrieve the checksum, this mode must be enabled.
     # @return [Types::GetObjectOutput]
     def get(options = {}, &block)
       options = options.merge(
@@ -386,33 +396,24 @@ module Aws::S3
     #     request_payer: "requester", # accepts requester
     #     part_number: 1,
     #     expected_bucket_owner: "AccountId",
+    #     checksum_mode: "ENABLED", # accepts ENABLED
     #   })
     # @param [Hash] options ({})
     # @option options [String] :if_match
     #   Return the object only if its entity tag (ETag) is the same as the one
-    #   specified, otherwise return a 412 (precondition failed).
+    #   specified; otherwise, return a 412 (precondition failed) error.
     # @option options [Time,DateTime,Date,Integer,String] :if_modified_since
     #   Return the object only if it has been modified since the specified
-    #   time, otherwise return a 304 (not modified).
+    #   time; otherwise, return a 304 (not modified) error.
     # @option options [String] :if_none_match
     #   Return the object only if its entity tag (ETag) is different from the
-    #   one specified, otherwise return a 304 (not modified).
+    #   one specified; otherwise, return a 304 (not modified) error.
     # @option options [Time,DateTime,Date,Integer,String] :if_unmodified_since
     #   Return the object only if it has not been modified since the specified
-    #   time, otherwise return a 412 (precondition failed).
+    #   time; otherwise, return a 412 (precondition failed) error.
     # @option options [String] :range
-    #   Downloads the specified range bytes of an object. For more information
-    #   about the HTTP Range header, see
-    #   [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35][1].
-    #
-    #   <note markdown="1"> Amazon S3 doesn't support retrieving multiple ranges of data per
-    #   `GET` request.
-    #
-    #    </note>
-    #
-    #
-    #
-    #   [1]: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.35
+    #   Because `HeadObject` returns only the metadata for an object, this
+    #   parameter has no effect.
     # @option options [String] :sse_customer_algorithm
     #   Specifies the algorithm to use to when encrypting the object (for
     #   example, AES256).
@@ -429,9 +430,9 @@ module Aws::S3
     # @option options [String] :request_payer
     #   Confirms that the requester knows that they will be charged for the
     #   request. Bucket owners need not specify this parameter in their
-    #   requests. For information about downloading objects from requester
-    #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   requests. For information about downloading objects from Requester
+    #   Pays buckets, see [Downloading Objects in Requester Pays Buckets][1]
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -442,9 +443,16 @@ module Aws::S3
     #   for the part specified. Useful querying about the size of the part and
     #   the number of parts in this object.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
-    #   a different account, the request will fail with an HTTP `403 (Access
-    #   Denied)` error.
+    #   The account ID of the expected bucket owner. If the bucket is owned by
+    #   a different account, the request fails with the HTTP status code `403
+    #   Forbidden` (access denied).
+    # @option options [String] :checksum_mode
+    #   To retrieve the checksum, this parameter must be enabled.
+    #
+    #   In addition, if you enable `ChecksumMode` and the object is encrypted
+    #   with Amazon Web Services Key Management Service (Amazon Web Services
+    #   KMS), you must have permission to use the `kms:Decrypt` action for the
+    #   request to succeed.
     # @return [Types::HeadObjectOutput]
     def head(options = {})
       options = options.merge(
@@ -524,6 +532,7 @@ module Aws::S3
       #     request_payer: "requester", # accepts requester
       #     bypass_governance_retention: false,
       #     expected_bucket_owner: "AccountId",
+      #     checksum_algorithm: "CRC32", # accepts CRC32, CRC32C, SHA1, SHA256
       #   })
       # @param options ({})
       # @option options [String] :mfa
@@ -534,21 +543,39 @@ module Aws::S3
       # @option options [String] :request_payer
       #   Confirms that the requester knows that they will be charged for the
       #   request. Bucket owners need not specify this parameter in their
-      #   requests. For information about downloading objects from requester
-      #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-      #   in the *Amazon S3 Developer Guide*.
+      #   requests. For information about downloading objects from Requester
+      #   Pays buckets, see [Downloading Objects in Requester Pays Buckets][1]
+      #   in the *Amazon S3 User Guide*.
       #
       #
       #
       #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
       # @option options [Boolean] :bypass_governance_retention
       #   Specifies whether you want to delete this object even if it has a
-      #   Governance-type Object Lock in place. You must have sufficient
-      #   permissions to perform this operation.
+      #   Governance-type Object Lock in place. To use this header, you must
+      #   have the `s3:BypassGovernanceRetention` permission.
       # @option options [String] :expected_bucket_owner
-      #   The account id of the expected bucket owner. If the bucket is owned by
-      #   a different account, the request will fail with an HTTP `403 (Access
-      #   Denied)` error.
+      #   The account ID of the expected bucket owner. If the bucket is owned by
+      #   a different account, the request fails with the HTTP status code `403
+      #   Forbidden` (access denied).
+      # @option options [String] :checksum_algorithm
+      #   Indicates the algorithm used to create the checksum for the object
+      #   when using the SDK. This header will not provide any additional
+      #   functionality if not using the SDK. When sending this header, there
+      #   must be a corresponding `x-amz-checksum` or `x-amz-trailer` header
+      #   sent. Otherwise, Amazon S3 fails the request with the HTTP status code
+      #   `400 Bad Request`. For more information, see [Checking object
+      #   integrity][1] in the *Amazon S3 User Guide*.
+      #
+      #   If you provide an individual checksum, Amazon S3 ignores any provided
+      #   `ChecksumAlgorithm` parameter.
+      #
+      #   This checksum algorithm must be the same for all parts and it match
+      #   the checksum value supplied in the `CreateMultipartUpload` request.
+      #
+      #
+      #
+      #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/checking-object-integrity.html
       # @return [void]
       def batch_delete!(options = {})
         batch_enum.each do |batch|

data/lib/aws-sdk-s3/plugins/accelerate.rb

@@ -29,7 +29,7 @@ each bucket. [Go here for more information](http://docs.aws.amazon.com/AmazonS3/
             OptionHandler, step: :initialize, operations: operations
           )
           handlers.add(
-            AccelerateHandler, step: :build, priority: 0, operations: operations
+            AccelerateHandler, step: :build, priority: 11, operations: operations
           )
         end
 
@@ -40,8 +40,17 @@ each bucket. [Go here for more information](http://docs.aws.amazon.com/AmazonS3/
             if context.params.is_a?(Hash)
               accelerate = context.params.delete(:use_accelerate_endpoint)
             end
-            if accelerate.nil?
-              accelerate = context.config.use_accelerate_endpoint
+            accelerate = context.config.use_accelerate_endpoint if accelerate.nil?
+            # Raise if :endpoint and accelerate are both provided
+            if accelerate && !context.config.regional_endpoint
+              raise ArgumentError,
+                    'Cannot use both :use_accelerate_endpoint and :endpoint'
+            end
+            # Raise if :use_fips_endpoint and accelerate are both provided
+            if accelerate && context.config.use_fips_endpoint
+              raise ArgumentError,
+                    'Cannot use both :use_accelerate_endpoint and '\
+                    ':use_fips_endpoint'
             end
             context[:use_accelerate_endpoint] = accelerate
             @handler.call(context)
@@ -51,7 +60,7 @@ each bucket. [Go here for more information](http://docs.aws.amazon.com/AmazonS3/
         # @api private
         class AccelerateHandler < Seahorse::Client::Handler
           def call(context)
-            if context[:use_accelerate_endpoint]
+            if context.config.regional_endpoint && context[:use_accelerate_endpoint]
               dualstack = !!context[:use_dualstack_endpoint]
               use_accelerate_endpoint(context, dualstack)
             end

data/lib/aws-sdk-s3/plugins/arn.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 require_relative '../arn/access_point_arn'
+require_relative '../arn/object_lambda_arn'
 require_relative '../arn/outpost_access_point_arn'
+require_relative '../arn/multi_region_access_point_arn'
 
 module Aws
   module S3
@@ -22,11 +24,48 @@ be made. Set to `false` to use the client's region instead.
           resolve_s3_use_arn_region(cfg)
         end
 
+        option(
+          :s3_disable_multiregion_access_points,
+          default: false,
+          doc_type: 'Boolean',
+          docstring: <<-DOCS) do |cfg|
+When set to `false` this will option will raise errors when multi-region
+access point ARNs are used.  Multi-region access points can potentially
+result in cross region requests.
+        DOCS
+          resolve_s3_disable_multiregion_access_points(cfg)
+        end
+
+        # param validator is validate:50
+        # endpoint is build:90 (populates the URI for the first time)
+        # endpoint pattern is build:10
         def add_handlers(handlers, _config)
-          handlers.add(Handler)
+          handlers.add(ARNHandler, step: :validate, priority: 75)
+          handlers.add(UrlHandler)
         end
 
-        class Handler < Seahorse::Client::Handler
+        # After extracting out any ARN input, resolve a new URL with it.
+        class UrlHandler < Seahorse::Client::Handler
+          def call(context)
+            if context.metadata[:s3_arn]
+              ARN.resolve_url!(
+                context.http_request.endpoint,
+                context.metadata[:s3_arn][:arn],
+                context.metadata[:s3_arn][:resolved_region],
+                context.metadata[:s3_arn][:fips],
+                context.metadata[:s3_arn][:dualstack],
+                # if regional_endpoint is false, a custom endpoint was provided
+                # in this case, we want to prefix the endpoint using the ARN
+                !context.config.regional_endpoint
+              )
+            end
+            @handler.call(context)
+          end
+        end
+
+        # This plugin will extract out any ARN input and set context for other
+        # plugins to use without having to translate the ARN again.
+        class ARNHandler < Seahorse::Client::Handler
           def call(context)
             bucket_member = _bucket_member(context.operation.input.shape)
             if bucket_member && (bucket = context.params[bucket_member])
@@ -38,12 +77,12 @@ be made. Set to `false` to use the client's region instead.
               if arn
                 validate_config!(context, arn)
 
-                ARN.resolve_url!(
-                  context.http_request.endpoint,
-                  arn,
-                  resolved_region,
-                  extract_dualstack_config!(context)
-                )
+                context.metadata[:s3_arn] = {
+                  arn: arn,
+                  resolved_region: resolved_region,
+                  fips: context.config.use_fips_endpoint,
+                  dualstack: extract_dualstack_config!(context)
+                }
               end
             end
             @handler.call(context)
@@ -66,28 +105,35 @@ be made. Set to `false` to use the client's region instead.
           end
 
           def validate_config!(context, arn)
-            unless context.config.regional_endpoint
-              raise ArgumentError,
-                    'Cannot provide both an Access Point ARN and setting '\
-                    ':endpoint.'
-            end
-
             if context.config.force_path_style
               raise ArgumentError,
-                    'Cannot provide both an Access Point ARN and setting '\
-                    ':force_path_style to true.'
+                    'Cannot provide an Access Point ARN when '\
+                    '`:force_path_style` is set to true.'
             end
 
             if context.config.use_accelerate_endpoint
               raise ArgumentError,
-                    'Cannot provide both an Access Point ARN and setting '\
-                    ':use_accelerate_endpoint to true.'
+                    'Cannot provide an Access Point ARN when '\
+                    '`:use_accelerate_endpoint` is set to true.'
             end
 
             if !arn.support_dualstack? && context[:use_dualstack_endpoint]
               raise ArgumentError,
-                    'Cannot provide both an Outpost Access Point ARN and '\
-                    'setting :use_dualstack_endpoint to true.'
+                    'Cannot provide an Outpost Access Point, Object Lambda, '\
+                    'or Multi-region Access Point ARN'\
+                    ' when `:use_dualstack_endpoint` is set to true.'
+            end
+
+            if arn.region.empty? && context.config.s3_disable_multiregion_access_points
+              raise ArgumentError,
+                    'Cannot provide a Multi-region Access Point ARN with '\
+                    '`:s3_disable_multiregion_access_points` set to true'
+            end
+
+            if context.config.use_fips_endpoint && !arn.support_fips?
+              raise ArgumentError,
+                    'FIPS client regions are not supported for this type '\
+                    'of ARN.'
             end
           end
         end
@@ -97,15 +143,7 @@ be made. Set to `false` to use the client's region instead.
           def resolve_arn!(member_value, region, use_arn_region)
             if Aws::ARNParser.arn?(member_value)
               arn = Aws::ARNParser.parse(member_value)
-              if arn.resource.start_with?('accesspoint')
-                s3_arn = Aws::S3::AccessPointARN.new(arn.to_h)
-              elsif arn.resource.start_with?('outpost')
-                s3_arn = Aws::S3::OutpostAccessPointARN.new(arn.to_h)
-              else
-                raise ArgumentError,
-                      'Only Access Point and Outpost Access Point type ARNs '\
-                      'are currently supported.'
-              end
+              s3_arn = resolve_arn_type!(arn)
               s3_arn.validate_arn!
               validate_region_config!(s3_arn, region, use_arn_region)
               region = s3_arn.region if use_arn_region
@@ -116,20 +154,53 @@ be made. Set to `false` to use the client's region instead.
           end
 
           # @api private
-          def resolve_url!(url, arn, region, dualstack = false)
-            url.host = arn.host_url(region, dualstack)
+          def resolve_url!(url, arn, region, fips = false, dualstack = false, has_custom_endpoint = false)
+            custom_endpoint = url.host if has_custom_endpoint
+            url.host = arn.host_url(region, fips, dualstack, custom_endpoint)
             url.path = url_path(url.path, arn)
             url
           end
 
           private
 
+          def resolve_arn_type!(arn)
+            case arn.service
+            when 's3'
+              arn.region.empty? ?
+                Aws::S3::MultiRegionAccessPointARN.new(arn.to_h) :
+                Aws::S3::AccessPointARN.new(arn.to_h)
+            when 's3-outposts'
+              Aws::S3::OutpostAccessPointARN.new(arn.to_h)
+            when 's3-object-lambda'
+              Aws::S3::ObjectLambdaARN.new(arn.to_h)
+            else
+              raise ArgumentError,
+                    'Only Access Point, Outposts, and Object Lambdas ARNs '\
+                    'are currently supported.'
+            end
+          end
+
           def resolve_s3_use_arn_region(cfg)
             value = ENV['AWS_S3_USE_ARN_REGION'] ||
                     Aws.shared_config.s3_use_arn_region(profile: cfg.profile) ||
                     'true'
             value = Aws::Util.str_2_bool(value)
             # Raise if provided value is not true or false
+            if value.nil?
+              raise ArgumentError,
+                    'Must provide either `true` or `false` for the '\
+                    '`s3_use_arn_region` profile option or for '\
+                    "ENV['AWS_S3_USE_ARN_REGION']."
+            end
+            value
+          end
+
+          def resolve_s3_disable_multiregion_access_points(cfg)
+            value = ENV['AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS'] ||
+              Aws.shared_config.s3_disable_multiregion_access_points(profile: cfg.profile) ||
+              'false'
+            value = Aws::Util.str_2_bool(value)
+            # Raise if provided value is not true or false
             if value.nil?
               raise ArgumentError,
                     'Must provide either `true` or `false` for '\
@@ -139,8 +210,7 @@ be made. Set to `false` to use the client's region instead.
             value
           end
 
-          # Remove ARN from the path since it was substituted already
-          # This only works because accesspoints care about the URL
+          # Remove ARN from the path because we've already set the new host
           def url_path(path, arn)
             path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
                        .sub("/#{arn}", '')
@@ -149,34 +219,31 @@ be made. Set to `false` to use the client's region instead.
           end
 
           def validate_region_config!(arn, region, use_arn_region)
-            fips = arn.support_fips?
-
-            # s3-external-1 is specific just to s3 and not part of partitions
-            # aws-global is a partition region
-            unless arn.partition == 'aws' &&
-                   (region == 's3-external-1' || region == 'aws-global')
-              if !fips && arn.region.include?('fips')
-                raise ArgumentError,
-                      'FIPS region ARNs are not supported for this type of ARN.'
-              end
-
-              if !fips && !use_arn_region && region.include?('fips')
-                raise ArgumentError,
-                      'FIPS client regions are not supported for this type of '\
-                      'ARN without s3_use_arn_region.'
-              end
-
-              # if it's a fips region, attempt to normalize it
-              if fips || use_arn_region
-                region = region.gsub('fips-', '').gsub('-fips', '')
+            if ['s3-external-1', 'aws-global'].include?(region)
+              # These "regions" are not regional endpoints
+              unless use_arn_region
+                raise Aws::Errors::InvalidARNRegionError,
+                      'Configured client region is not a regional endpoint.'
               end
-              if use_arn_region &&
-                 !Aws::Partitions.partition(arn.partition).region?(region)
+              # These "regions" are in the AWS partition
+              # Cannot use ARN region unless it's the same partition
+              unless arn.partition == 'aws'
                 raise Aws::Errors::InvalidARNPartitionError
               end
-
-              if !use_arn_region && region != arn.region
-                raise Aws::Errors::InvalidARNRegionError
+            else
+              # use_arn_region does not apply to MRAP (global) arns
+              unless arn.region.empty?
+                # Raise if the ARN and client regions are in different partitions
+                if use_arn_region &&
+                   !Aws::Partitions.partition(arn.partition).region?(region)
+                  raise Aws::Errors::InvalidARNPartitionError
+                end
+
+                # Raise if regions mismatch
+                # Either when it's a fips client or not using the ARN region
+                if !use_arn_region && region != arn.region
+                  raise Aws::Errors::InvalidARNRegionError
+                end
               end
             end
           end

data/lib/aws-sdk-s3/plugins/bucket_dns.rb

@@ -24,7 +24,7 @@ request URI and never moved to the host as a sub-domain.
           DOCS
 
         def add_handlers(handlers, config)
-          handlers.add(Handler) unless config.force_path_style
+          handlers.add(Handler, priority: 48) unless config.force_path_style
         end
 
         # @api private

data/lib/aws-sdk-s3/plugins/dualstack.rb

@@ -5,27 +5,24 @@ module Aws
     module Plugins
       # @api private
       class Dualstack < Seahorse::Client::Plugin
-
-        option(:use_dualstack_endpoint,
-          default: false,
-          doc_type: 'Boolean',
-          docstring: <<-DOCS)
-When set to `true`, IPv6-compatible bucket endpoints will be used
-for all operations.
-          DOCS
-
         def add_handlers(handlers, config)
           handlers.add(OptionHandler, step: :initialize)
-          handlers.add(DualstackHandler, step: :build, priority: 0)
+          handlers.add(DualstackHandler, step: :build, priority: 49)
         end
 
         # @api private
         class OptionHandler < Seahorse::Client::Handler
           def call(context)
+            # Support client configuration and per-operation configuration
             if context.params.is_a?(Hash)
               dualstack = context.params.delete(:use_dualstack_endpoint)
             end
             dualstack = context.config.use_dualstack_endpoint if dualstack.nil?
+            # Raise if :endpoint and dualstack are both provided
+            if dualstack && !context.config.regional_endpoint
+              raise ArgumentError,
+                    'Cannot use both :use_dualstack_endpoint and :endpoint'
+            end
             context[:use_dualstack_endpoint] = dualstack
             @handler.call(context)
           end
@@ -34,37 +31,41 @@ for all operations.
         # @api private
         class DualstackHandler < Seahorse::Client::Handler
           def call(context)
-            apply_dualstack_endpoint(context) if use_dualstack_endpoint?(context)
+            # only rewrite the endpoint if it's not a custom endpoint
+            # accelerate/ARN already handle dualstack cases, so ignore these
+            # check to see if dualstack is on but configured off via operation
+            if context.config.regional_endpoint &&
+               use_dualstack_endpoint?(context)
+              apply_dualstack_endpoint(context)
+            end
             @handler.call(context)
           end
 
           private
-          def apply_dualstack_endpoint(context)
-            bucket_name = context.params[:bucket]
-            region = context.config.region
-            context.config.force_path_style
-            dns_suffix = Aws::Partitions::EndpointProvider.dns_suffix_for(region)
 
-            if use_bucket_dns?(bucket_name, context)
-              host = "#{bucket_name}.s3.dualstack.#{region}.#{dns_suffix}"
-            else
-              host = "s3.dualstack.#{region}.#{dns_suffix}"
-            end
+          def apply_dualstack_endpoint(context)
+            new_endpoint = Aws::Partitions::EndpointProvider.resolve(
+              context.config.region,
+              's3',
+              'regional',
+              {
+                dualstack: context[:use_dualstack_endpoint],
+                fips: context.config.use_fips_endpoint
+              }
+            )
             endpoint = URI.parse(context.http_request.endpoint.to_s)
-            endpoint.scheme = context.http_request.endpoint.scheme
-            endpoint.port = context.http_request.endpoint.port
-            endpoint.host = host
-            context.http_request.endpoint = endpoint.to_s
-          end
-
-          def use_bucket_dns?(bucket_name, context)
-            ssl = context.http_request.endpoint.scheme == "https"
-            bucket_name && BucketDns.dns_compatible?(bucket_name, ssl) &&
-              !context.config.force_path_style
+            endpoint.host = URI.parse(new_endpoint).host
+            context.http_request.endpoint = endpoint
           end
 
           def use_dualstack_endpoint?(context)
-            context[:use_dualstack_endpoint] && !context[:use_accelerate_endpoint]
+            # case when dualstack is turned off via operation
+            (context[:use_dualstack_endpoint] ||
+              context.config.use_dualstack_endpoint) &&
+              # accelerate plugin already applies dualstack
+              !context[:use_accelerate_endpoint] &&
+              # arns handle dualstack
+              !context.metadata[:s3_arn]
           end
         end