aws-sdk-s3 1.87.0 → 1.96.1

data/lib/aws-sdk-s3/object_acl.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -267,8 +267,10 @@ module Aws::S3
     #
     #   This action is not supported by Amazon S3 on Outposts.
     # @option options [String] :grant_write
-    #   Allows grantee to create, overwrite, and delete any object in the
-    #   bucket.
+    #   Allows grantee to create new objects in the bucket.
+    #
+    #   For the bucket and object owners of existing objects, also allows
+    #   deletions and overwrites of those objects.
     # @option options [String] :grant_write_acp
     #   Allows grantee to write the ACL for the applicable bucket.
     #
@@ -278,7 +280,7 @@ module Aws::S3
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -286,7 +288,7 @@ module Aws::S3
     # @option options [String] :version_id
     #   VersionId used to reference a specific version of the object.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [Types::PutObjectAclOutput]

data/lib/aws-sdk-s3/object_summary.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -42,7 +42,7 @@ module Aws::S3
       @key
     end
 
-    # The date the Object was Last Modified
+    # Creation date of the object.
     # @return [Time]
     def last_modified
       data[:last_modified]
@@ -375,7 +375,7 @@ module Aws::S3
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points.html
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points.html
     # @option options [String] :copy_source_if_match
     #   Copies the object if its entity tag (ETag) matches the specified tag.
     # @option options [Time,DateTime,Date,Integer,String] :copy_source_if_modified_since
@@ -422,7 +422,7 @@ module Aws::S3
     #   and high availability. Depending on performance needs, you can specify
     #   a different Storage Class. Amazon S3 on Outposts only uses the
     #   OUTPOSTS Storage Class. For more information, see [Storage Classes][1]
-    #   in the *Amazon S3 Service Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -449,8 +449,8 @@ module Aws::S3
     #   PUT requests for an object protected by AWS KMS will fail if not made
     #   via SSL or using SigV4. For information about configuring using any of
     #   the officially supported AWS SDKs and AWS CLI, see [Specifying the
-    #   Signature Version in Request Authentication][1] in the *Amazon S3
-    #   Developer Guide*.
+    #   Signature Version in Request Authentication][1] in the *Amazon S3 User
+    #   Guide*.
     #
     #
     #
@@ -465,8 +465,8 @@ module Aws::S3
     #   Setting this header to `true` causes Amazon S3 to use an S3 Bucket Key
     #   for object encryption with SSE-KMS.
     #
-    #   Specifying this header with a COPY operation doesn’t affect
-    #   bucket-level settings for S3 Bucket Key.
+    #   Specifying this header with a COPY action doesn’t affect bucket-level
+    #   settings for S3 Bucket Key.
     # @option options [String] :copy_source_sse_customer_algorithm
     #   Specifies the algorithm to use when decrypting the source object (for
     #   example, AES256).
@@ -483,7 +483,7 @@ module Aws::S3
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -500,11 +500,11 @@ module Aws::S3
     # @option options [String] :object_lock_legal_hold_status
     #   Specifies whether you want to apply a Legal Hold to the copied object.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected destination bucket owner. If the
+    #   The account ID of the expected destination bucket owner. If the
     #   destination bucket is owned by a different account, the request will
     #   fail with an HTTP `403 (Access Denied)` error.
     # @option options [String] :expected_source_bucket_owner
-    #   The account id of the expected source bucket owner. If the source
+    #   The account ID of the expected source bucket owner. If the source
     #   bucket is owned by a different account, the request will fail with an
     #   HTTP `403 (Access Denied)` error.
     # @return [Types::CopyObjectOutput]
@@ -539,7 +539,7 @@ module Aws::S3
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -548,7 +548,7 @@ module Aws::S3
     #   Indicates whether S3 Object Lock should bypass Governance-mode
     #   restrictions to process this operation.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [Types::DeleteObjectOutput]
@@ -624,13 +624,13 @@ module Aws::S3
     # @option options [String] :version_id
     #   VersionId used to reference a specific version of the object.
     # @option options [String] :sse_customer_algorithm
-    #   Specifies the algorithm to use to when encrypting the object (for
+    #   Specifies the algorithm to use to when decrypting the object (for
     #   example, AES256).
     # @option options [String] :sse_customer_key
-    #   Specifies the customer-provided encryption key for Amazon S3 to use in
-    #   encrypting data. This value is used to store the object and then it is
-    #   discarded; Amazon S3 does not store the encryption key. The key must
-    #   be appropriate for use with the algorithm specified in the
+    #   Specifies the customer-provided encryption key for Amazon S3 used to
+    #   encrypt the data. This value is used to decrypt the object when
+    #   recovering it and must match the one used when storing the data. The
+    #   key must be appropriate for use with the algorithm specified in the
     #   `x-amz-server-side-encryption-customer-algorithm` header.
     # @option options [String] :sse_customer_key_md5
     #   Specifies the 128-bit MD5 digest of the encryption key according to
@@ -641,7 +641,7 @@ module Aws::S3
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -652,7 +652,7 @@ module Aws::S3
     #   for the part specified. Useful for downloading just a part of an
     #   object.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [Types::GetObjectOutput]
@@ -745,7 +745,7 @@ module Aws::S3
     #   and high availability. Depending on performance needs, you can specify
     #   a different Storage Class. Amazon S3 on Outposts only uses the
     #   OUTPOSTS Storage Class. For more information, see [Storage Classes][1]
-    #   in the *Amazon S3 Service Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -773,11 +773,11 @@ module Aws::S3
     #   protected by AWS KMS will fail if not made via SSL or using SigV4. For
     #   information about configuring using any of the officially supported
     #   AWS SDKs and AWS CLI, see [Specifying the Signature Version in Request
-    #   Authentication][1] in the *Amazon S3 Developer Guide*.
+    #   Authentication][1] in the *Amazon S3 User Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/http:/docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
     # @option options [String] :ssekms_encryption_context
     #   Specifies the AWS KMS Encryption Context to use for object encryption.
     #   The value of this header is a base64-encoded UTF-8 string holding JSON
@@ -788,14 +788,14 @@ module Aws::S3
     #   Setting this header to `true` causes Amazon S3 to use an S3 Bucket Key
     #   for object encryption with SSE-KMS.
     #
-    #   Specifying this header with an object operation doesn’t affect
+    #   Specifying this header with an object action doesn’t affect
     #   bucket-level settings for S3 Bucket Key.
     # @option options [String] :request_payer
     #   Confirms that the requester knows that they will be charged for the
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -812,7 +812,7 @@ module Aws::S3
     #   Specifies whether you want to apply a Legal Hold to the uploaded
     #   object.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [MultipartUpload]
@@ -969,7 +969,7 @@ module Aws::S3
     #   and high availability. Depending on performance needs, you can specify
     #   a different Storage Class. Amazon S3 on Outposts only uses the
     #   OUTPOSTS Storage Class. For more information, see [Storage Classes][1]
-    #   in the *Amazon S3 Service Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -1016,14 +1016,12 @@ module Aws::S3
     #   If `x-amz-server-side-encryption` is present and has the value of
     #   `aws:kms`, this header specifies the ID of the AWS Key Management
     #   Service (AWS KMS) symmetrical customer managed customer master key
-    #   (CMK) that was used for the object.
-    #
-    #   If the value of `x-amz-server-side-encryption` is `aws:kms`, this
-    #   header specifies the ID of the symmetric customer managed AWS KMS CMK
-    #   that will be used for the object. If you specify
+    #   (CMK) that was used for the object. If you specify
     #   `x-amz-server-side-encryption:aws:kms`, but do not provide`
     #   x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the AWS
-    #   managed CMK in AWS to protect the data.
+    #   managed CMK in AWS to protect the data. If the KMS key does not exist
+    #   in the same account issuing the command, you must use the full ARN and
+    #   not just the ID.
     # @option options [String] :ssekms_encryption_context
     #   Specifies the AWS KMS Encryption Context to use for object encryption.
     #   The value of this header is a base64-encoded UTF-8 string holding JSON
@@ -1034,14 +1032,14 @@ module Aws::S3
     #   Setting this header to `true` causes Amazon S3 to use an S3 Bucket Key
     #   for object encryption with SSE-KMS.
     #
-    #   Specifying this header with a PUT operation doesn’t affect
-    #   bucket-level settings for S3 Bucket Key.
+    #   Specifying this header with a PUT action doesn’t affect bucket-level
+    #   settings for S3 Bucket Key.
     # @option options [String] :request_payer
     #   Confirms that the requester knows that they will be charged for the
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -1053,6 +1051,7 @@ module Aws::S3
     #   The Object Lock mode that you want to apply to this object.
     # @option options [Time,DateTime,Date,Integer,String] :object_lock_retain_until_date
     #   The date and time when you want this object's Object Lock to expire.
+    #   Must be formatted as a timestamp parameter.
     # @option options [String] :object_lock_legal_hold_status
     #   Specifies whether a legal hold will be applied to this object. For
     #   more information about S3 Object Lock, see [Object Lock][1].
@@ -1061,7 +1060,7 @@ module Aws::S3
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock.html
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [Types::PutObjectOutput]
@@ -1172,13 +1171,13 @@ module Aws::S3
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [Types::RestoreObjectOutput]
@@ -1325,7 +1324,7 @@ module Aws::S3
       #   request. Bucket owners need not specify this parameter in their
       #   requests. For information about downloading objects from requester
       #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-      #   in the *Amazon S3 Developer Guide*.
+      #   in the *Amazon S3 User Guide*.
       #
       #
       #
@@ -1335,7 +1334,7 @@ module Aws::S3
       #   Governance-type Object Lock in place. You must have sufficient
       #   permissions to perform this operation.
       # @option options [String] :expected_bucket_owner
-      #   The account id of the expected bucket owner. If the bucket is owned by
+      #   The account ID of the expected bucket owner. If the bucket is owned by
       #   a different account, the request will fail with an HTTP `403 (Access
       #   Denied)` error.
       # @return [void]

data/lib/aws-sdk-s3/object_version.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -247,7 +247,7 @@ module Aws::S3
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -256,7 +256,7 @@ module Aws::S3
     #   Indicates whether S3 Object Lock should bypass Governance-mode
     #   restrictions to process this operation.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [Types::DeleteObjectOutput]
@@ -330,13 +330,13 @@ module Aws::S3
     # @option options [Time,DateTime,Date,Integer,String] :response_expires
     #   Sets the `Expires` header of the response.
     # @option options [String] :sse_customer_algorithm
-    #   Specifies the algorithm to use to when encrypting the object (for
+    #   Specifies the algorithm to use to when decrypting the object (for
     #   example, AES256).
     # @option options [String] :sse_customer_key
-    #   Specifies the customer-provided encryption key for Amazon S3 to use in
-    #   encrypting data. This value is used to store the object and then it is
-    #   discarded; Amazon S3 does not store the encryption key. The key must
-    #   be appropriate for use with the algorithm specified in the
+    #   Specifies the customer-provided encryption key for Amazon S3 used to
+    #   encrypt the data. This value is used to decrypt the object when
+    #   recovering it and must match the one used when storing the data. The
+    #   key must be appropriate for use with the algorithm specified in the
     #   `x-amz-server-side-encryption-customer-algorithm` header.
     # @option options [String] :sse_customer_key_md5
     #   Specifies the 128-bit MD5 digest of the encryption key according to
@@ -347,7 +347,7 @@ module Aws::S3
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -358,7 +358,7 @@ module Aws::S3
     #   for the part specified. Useful for downloading just a part of an
     #   object.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [Types::GetObjectOutput]
@@ -431,7 +431,7 @@ module Aws::S3
     #   request. Bucket owners need not specify this parameter in their
     #   requests. For information about downloading objects from requester
     #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-    #   in the *Amazon S3 Developer Guide*.
+    #   in the *Amazon S3 User Guide*.
     #
     #
     #
@@ -442,7 +442,7 @@ module Aws::S3
     #   for the part specified. Useful querying about the size of the part and
     #   the number of parts in this object.
     # @option options [String] :expected_bucket_owner
-    #   The account id of the expected bucket owner. If the bucket is owned by
+    #   The account ID of the expected bucket owner. If the bucket is owned by
     #   a different account, the request will fail with an HTTP `403 (Access
     #   Denied)` error.
     # @return [Types::HeadObjectOutput]
@@ -536,7 +536,7 @@ module Aws::S3
       #   request. Bucket owners need not specify this parameter in their
       #   requests. For information about downloading objects from requester
       #   pays buckets, see [Downloading Objects in Requestor Pays Buckets][1]
-      #   in the *Amazon S3 Developer Guide*.
+      #   in the *Amazon S3 User Guide*.
       #
       #
       #
@@ -546,7 +546,7 @@ module Aws::S3
       #   Governance-type Object Lock in place. You must have sufficient
       #   permissions to perform this operation.
       # @option options [String] :expected_bucket_owner
-      #   The account id of the expected bucket owner. If the bucket is owned by
+      #   The account ID of the expected bucket owner. If the bucket is owned by
       #   a different account, the request will fail with an HTTP `403 (Access
       #   Denied)` error.
       # @return [void]

data/lib/aws-sdk-s3/plugins/accelerate.rb

@@ -29,7 +29,7 @@ each bucket. [Go here for more information](http://docs.aws.amazon.com/AmazonS3/
             OptionHandler, step: :initialize, operations: operations
           )
           handlers.add(
-            AccelerateHandler, step: :build, priority: 0, operations: operations
+            AccelerateHandler, step: :build, priority: 11, operations: operations
           )
         end
 
@@ -40,8 +40,11 @@ each bucket. [Go here for more information](http://docs.aws.amazon.com/AmazonS3/
             if context.params.is_a?(Hash)
               accelerate = context.params.delete(:use_accelerate_endpoint)
             end
-            if accelerate.nil?
-              accelerate = context.config.use_accelerate_endpoint
+            accelerate = context.config.use_accelerate_endpoint if accelerate.nil?
+            # Raise if :endpoint and dualstack are both provided
+            if accelerate && !context.config.regional_endpoint
+              raise ArgumentError,
+                    'Cannot use both :use_accelerate_endpoint and :endpoint'
             end
             context[:use_accelerate_endpoint] = accelerate
             @handler.call(context)
@@ -51,7 +54,7 @@ each bucket. [Go here for more information](http://docs.aws.amazon.com/AmazonS3/
         # @api private
         class AccelerateHandler < Seahorse::Client::Handler
           def call(context)
-            if context[:use_accelerate_endpoint]
+            if context.config.regional_endpoint && context[:use_accelerate_endpoint]
               dualstack = !!context[:use_dualstack_endpoint]
               use_accelerate_endpoint(context, dualstack)
             end

data/lib/aws-sdk-s3/plugins/arn.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative '../arn/access_point_arn'
+require_relative '../arn/object_lambda_arn'
 require_relative '../arn/outpost_access_point_arn'
 
 module Aws
@@ -22,11 +23,36 @@ be made. Set to `false` to use the client's region instead.
           resolve_s3_use_arn_region(cfg)
         end
 
+        # param validator is validate:50
+        # endpoint is build:90 (populates the URI for the first time)
+        # endpoint pattern is build:10
         def add_handlers(handlers, _config)
-          handlers.add(Handler)
+          handlers.add(ARNHandler, step: :validate, priority: 75)
+          handlers.add(UrlHandler)
         end
 
-        class Handler < Seahorse::Client::Handler
+        # After extracting out any ARN input, resolve a new URL with it.
+        class UrlHandler < Seahorse::Client::Handler
+          def call(context)
+            if context.metadata[:s3_arn]
+              ARN.resolve_url!(
+                context.http_request.endpoint,
+                context.metadata[:s3_arn][:arn],
+                context.metadata[:s3_arn][:resolved_region],
+                context.metadata[:s3_arn][:fips],
+                context.metadata[:s3_arn][:dualstack],
+                # if regional_endpoint is false, a custom endpoint was provided
+                # in this case, we want to prefix the endpoint using the ARN
+                !context.config.regional_endpoint
+              )
+            end
+            @handler.call(context)
+          end
+        end
+
+        # This plugin will extract out any ARN input and set context for other
+        # plugins to use without having to translate the ARN again.
+        class ARNHandler < Seahorse::Client::Handler
           def call(context)
             bucket_member = _bucket_member(context.operation.input.shape)
             if bucket_member && (bucket = context.params[bucket_member])
@@ -38,12 +64,19 @@ be made. Set to `false` to use the client's region instead.
               if arn
                 validate_config!(context, arn)
 
-                ARN.resolve_url!(
-                  context.http_request.endpoint,
-                  arn,
-                  resolved_region,
-                  extract_dualstack_config!(context)
-                )
+                fips = false
+                if resolved_region.include?('fips')
+                  fips = true
+                  resolved_region = resolved_region.gsub('fips-', '')
+                                                   .gsub('-fips', '')
+                end
+
+                context.metadata[:s3_arn] = {
+                  arn: arn,
+                  resolved_region: resolved_region,
+                  fips: fips,
+                  dualstack: extract_dualstack_config!(context)
+                }
               end
             end
             @handler.call(context)
@@ -66,28 +99,22 @@ be made. Set to `false` to use the client's region instead.
           end
 
           def validate_config!(context, arn)
-            unless context.config.regional_endpoint
-              raise ArgumentError,
-                    'Cannot provide both an Access Point ARN and setting '\
-                    ':endpoint.'
-            end
-
             if context.config.force_path_style
               raise ArgumentError,
-                    'Cannot provide both an Access Point ARN and setting '\
-                    ':force_path_style to true.'
+                    'Cannot provide an Access Point ARN when '\
+                    '`:force_path_style` is set to true.'
             end
 
             if context.config.use_accelerate_endpoint
               raise ArgumentError,
-                    'Cannot provide both an Access Point ARN and setting '\
-                    ':use_accelerate_endpoint to true.'
+                    'Cannot provide an Access Point ARN when '\
+                    '`:use_accelerate_endpoint` is set to true.'
             end
 
             if !arn.support_dualstack? && context[:use_dualstack_endpoint]
               raise ArgumentError,
-                    'Cannot provide both an Outpost Access Point ARN and '\
-                    'setting :use_dualstack_endpoint to true.'
+                    'Cannot provide an Outpost Access Point ARN when '\
+                    '`:use_dualstack_endpoint` is set to true.'
             end
           end
         end
@@ -97,18 +124,10 @@ be made. Set to `false` to use the client's region instead.
           def resolve_arn!(member_value, region, use_arn_region)
             if Aws::ARNParser.arn?(member_value)
               arn = Aws::ARNParser.parse(member_value)
-              if arn.resource.start_with?('accesspoint')
-                s3_arn = Aws::S3::AccessPointARN.new(arn.to_h)
-              elsif arn.resource.start_with?('outpost')
-                s3_arn = Aws::S3::OutpostAccessPointARN.new(arn.to_h)
-              else
-                raise ArgumentError,
-                      'Only Access Point and Outpost Access Point type ARNs '\
-                      'are currently supported.'
-              end
+              s3_arn = resolve_arn_type!(arn)
               s3_arn.validate_arn!
               validate_region_config!(s3_arn, region, use_arn_region)
-              region = s3_arn.region if use_arn_region
+              region = s3_arn.region if use_arn_region && !region.include?('fips')
               [region, s3_arn]
             else
               [region]
@@ -116,14 +135,30 @@ be made. Set to `false` to use the client's region instead.
           end
 
           # @api private
-          def resolve_url!(url, arn, region, dualstack = false)
-            url.host = arn.host_url(region, dualstack)
+          def resolve_url!(url, arn, region, fips = false, dualstack = false, has_custom_endpoint = false)
+            custom_endpoint = url.host if has_custom_endpoint
+            url.host = arn.host_url(region, fips, dualstack, custom_endpoint)
             url.path = url_path(url.path, arn)
             url
           end
 
           private
 
+          def resolve_arn_type!(arn)
+            case arn.service
+            when 's3'
+              Aws::S3::AccessPointARN.new(arn.to_h)
+            when 's3-outposts'
+              Aws::S3::OutpostAccessPointARN.new(arn.to_h)
+            when 's3-object-lambda'
+              Aws::S3::ObjectLambdaARN.new(arn.to_h)
+            else
+              raise ArgumentError,
+                    'Only Access Point, Outposts, and Object Lambdas ARNs '\
+                    'are currently supported.'
+            end
+          end
+
           def resolve_s3_use_arn_region(cfg)
             value = ENV['AWS_S3_USE_ARN_REGION'] ||
                     Aws.shared_config.s3_use_arn_region(profile: cfg.profile) ||
@@ -132,15 +167,14 @@ be made. Set to `false` to use the client's region instead.
             # Raise if provided value is not true or false
             if value.nil?
               raise ArgumentError,
-                    'Must provide either `true` or `false` for '\
-                    's3_use_arn_region profile option or for '\
-                    "ENV['AWS_S3_USE_ARN_REGION']"
+                    'Must provide either `true` or `false` for the '\
+                    '`s3_use_arn_region` profile option or for '\
+                    "ENV['AWS_S3_USE_ARN_REGION']."
             end
             value
           end
 
-          # Remove ARN from the path since it was substituted already
-          # This only works because accesspoints care about the URL
+          # Remove ARN from the path because we've already set the new host
           def url_path(path, arn)
             path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
                        .sub("/#{arn}", '')
@@ -149,33 +183,40 @@ be made. Set to `false` to use the client's region instead.
           end
 
           def validate_region_config!(arn, region, use_arn_region)
-            fips = arn.support_fips?
-
-            # s3-external-1 is specific just to s3 and not part of partitions
-            # aws-global is a partition region
-            unless arn.partition == 'aws' &&
-                   (region == 's3-external-1' || region == 'aws-global')
-              if !fips && arn.region.include?('fips')
-                raise ArgumentError,
-                      'FIPS region ARNs are not supported for this type of ARN.'
+            if ['s3-external-1', 'aws-global'].include?(region)
+              # These "regions" are not regional endpoints
+              unless use_arn_region
+                raise Aws::Errors::InvalidARNRegionError,
+                      'Configured client region is not a regional endpoint.'
               end
-
-              if !fips && !use_arn_region && region.include?('fips')
-                raise ArgumentError,
-                      'FIPS client regions are not supported for this type of '\
-                      'ARN without s3_use_arn_region.'
+              # These "regions" are in the AWS partition
+              # Cannot use ARN region unless it's the same partition
+              unless arn.partition == 'aws'
+                raise Aws::Errors::InvalidARNPartitionError
               end
-
-              # if it's a fips region, attempt to normalize it
-              if fips || use_arn_region
+            else
+              if region.include?('fips')
+                # If ARN type doesn't support FIPS but the client region is FIPS
+                unless arn.support_fips?
+                  raise ArgumentError,
+                        'FIPS client regions are not supported for this type '\
+                        'of ARN.'
+                end
+
+                fips = true
+                # Normalize the region so we can compare partition and regions
                 region = region.gsub('fips-', '').gsub('-fips', '')
               end
+
+              # Raise if the ARN and client regions are in different partitions
               if use_arn_region &&
                  !Aws::Partitions.partition(arn.partition).region?(region)
                 raise Aws::Errors::InvalidARNPartitionError
               end
 
-              if !use_arn_region && region != arn.region
+              # Raise if regions mismatch
+              # Either when it's a fips client or not using the ARN region
+              if (!use_arn_region || fips) && region != arn.region
                 raise Aws::Errors::InvalidARNRegionError
               end
             end