aws-sdk-s3 1.98.0 → 1.102.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-s3/arn/multi_region_access_point_arn.rb +69 -0
- data/lib/aws-sdk-s3/bucket.rb +13 -13
- data/lib/aws-sdk-s3/bucket_acl.rb +3 -2
- data/lib/aws-sdk-s3/bucket_cors.rb +3 -2
- data/lib/aws-sdk-s3/bucket_lifecycle.rb +3 -2
- data/lib/aws-sdk-s3/bucket_logging.rb +3 -2
- data/lib/aws-sdk-s3/bucket_notification.rb +2 -2
- data/lib/aws-sdk-s3/bucket_policy.rb +3 -2
- data/lib/aws-sdk-s3/bucket_request_payment.rb +3 -2
- data/lib/aws-sdk-s3/bucket_tagging.rb +3 -2
- data/lib/aws-sdk-s3/bucket_versioning.rb +9 -6
- data/lib/aws-sdk-s3/bucket_website.rb +3 -2
- data/lib/aws-sdk-s3/client.rb +791 -658
- data/lib/aws-sdk-s3/customizations/object.rb +2 -2
- data/lib/aws-sdk-s3/encryption/client.rb +1 -1
- data/lib/aws-sdk-s3/encryption/decrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/encryptionV2/client.rb +1 -1
- data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/file_uploader.rb +1 -1
- data/lib/aws-sdk-s3/multipart_upload_part.rb +2 -1
- data/lib/aws-sdk-s3/object.rb +44 -40
- data/lib/aws-sdk-s3/object_acl.rb +3 -2
- data/lib/aws-sdk-s3/object_summary.rb +42 -37
- data/lib/aws-sdk-s3/object_version.rb +4 -3
- data/lib/aws-sdk-s3/plugins/arn.rb +51 -12
- data/lib/aws-sdk-s3/plugins/s3_signer.rb +10 -1
- data/lib/aws-sdk-s3/presigner.rb +6 -0
- data/lib/aws-sdk-s3/types.rb +510 -438
- data/lib/aws-sdk-s3.rb +1 -1
- metadata +8 -7
@@ -337,10 +337,10 @@ module Aws
|
|
337
337
|
# using an open Tempfile, rewind it before uploading or else the object
|
338
338
|
# will be empty.
|
339
339
|
#
|
340
|
-
# @option options [Integer] :multipart_threshold (
|
340
|
+
# @option options [Integer] :multipart_threshold (104857600) Files larger
|
341
341
|
# than or equal to `:multipart_threshold` are uploaded using the S3
|
342
342
|
# multipart APIs.
|
343
|
-
# Default threshold is
|
343
|
+
# Default threshold is 100MB.
|
344
344
|
#
|
345
345
|
# @option options [Integer] :thread_count (10) The number of parallel
|
346
346
|
# multipart uploads. This option is not used if the file is smaller than
|
@@ -165,10 +165,6 @@ module Aws
|
|
165
165
|
# to initialize the cipher, and the decrypter truncates the
|
166
166
|
# auth tag from the body when writing the final bytes.
|
167
167
|
def authenticated_decrypter(context, cipher, envelope)
|
168
|
-
if RUBY_VERSION.match(/^1.9/)
|
169
|
-
msg = 'authenticated decryption not supported by OpenSSL in Ruby version ~> 1.9'
|
170
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
171
|
-
end
|
172
168
|
http_resp = context.http_response
|
173
169
|
content_length = http_resp.headers['content-length'].to_i
|
174
170
|
auth_tag_length = auth_tag_length(envelope)
|
@@ -166,10 +166,6 @@ module Aws
|
|
166
166
|
# to initialize the cipher, and the decrypter truncates the
|
167
167
|
# auth tag from the body when writing the final bytes.
|
168
168
|
def authenticated_decrypter(context, cipher, envelope)
|
169
|
-
if RUBY_VERSION.match(/^1.9/)
|
170
|
-
msg = 'authenticated decryption not supported by OpenSSL in Ruby version ~> 1.9'
|
171
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
172
|
-
end
|
173
169
|
http_resp = context.http_response
|
174
170
|
content_length = http_resp.headers['content-length'].to_i
|
175
171
|
auth_tag_length = auth_tag_length(envelope)
|
@@ -9,10 +9,6 @@ module Aws
|
|
9
9
|
class EncryptHandler < Seahorse::Client::Handler
|
10
10
|
|
11
11
|
def call(context)
|
12
|
-
if RUBY_VERSION.match(/^1.9/)
|
13
|
-
raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
|
14
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
15
|
-
end
|
16
12
|
envelope, cipher = context[:encryption][:cipher_provider]
|
17
13
|
.encryption_cipher(
|
18
14
|
kms_encryption_context: context[:encryption][:kms_encryption_context]
|
@@ -11,7 +11,7 @@ module Aws
|
|
11
11
|
|
12
12
|
# @param [Hash] options
|
13
13
|
# @option options [Client] :client
|
14
|
-
# @option options [Integer] :multipart_threshold (
|
14
|
+
# @option options [Integer] :multipart_threshold (104857600)
|
15
15
|
def initialize(options = {})
|
16
16
|
@options = options
|
17
17
|
@client = options[:client] || Client.new
|
@@ -248,7 +248,8 @@ module Aws::S3
|
|
248
248
|
# The value must be URL encoded.
|
249
249
|
#
|
250
250
|
# <note markdown="1"> Amazon S3 supports copy operations using access points only when the
|
251
|
-
# source and destination buckets are in the same
|
251
|
+
# source and destination buckets are in the same Amazon Web Services
|
252
|
+
# Region.
|
252
253
|
#
|
253
254
|
# </note>
|
254
255
|
#
|
data/lib/aws-sdk-s3/object.rb
CHANGED
@@ -184,10 +184,10 @@ module Aws::S3
|
|
184
184
|
end
|
185
185
|
|
186
186
|
# If the object is stored using server-side encryption either with an
|
187
|
-
#
|
188
|
-
# key, the response includes this header with the
|
189
|
-
# server-side encryption algorithm used when storing this
|
190
|
-
# Amazon S3 (for example, AES256, aws:kms).
|
187
|
+
# Amazon Web Services KMS customer master key (CMK) or an Amazon
|
188
|
+
# S3-managed encryption key, the response includes this header with the
|
189
|
+
# value of the server-side encryption algorithm used when storing this
|
190
|
+
# object in Amazon S3 (for example, AES256, aws:kms).
|
191
191
|
# @return [String]
|
192
192
|
def server_side_encryption
|
193
193
|
data[:server_side_encryption]
|
@@ -216,16 +216,16 @@ module Aws::S3
|
|
216
216
|
data[:sse_customer_key_md5]
|
217
217
|
end
|
218
218
|
|
219
|
-
# If present, specifies the ID of the
|
220
|
-
# KMS) symmetric customer managed customer
|
221
|
-
# used for the object.
|
219
|
+
# If present, specifies the ID of the Amazon Web Services Key Management
|
220
|
+
# Service (Amazon Web Services KMS) symmetric customer managed customer
|
221
|
+
# master key (CMK) that was used for the object.
|
222
222
|
# @return [String]
|
223
223
|
def ssekms_key_id
|
224
224
|
data[:ssekms_key_id]
|
225
225
|
end
|
226
226
|
|
227
227
|
# Indicates whether the object uses an S3 Bucket Key for server-side
|
228
|
-
# encryption with
|
228
|
+
# encryption with Amazon Web Services KMS (SSE-KMS).
|
229
229
|
# @return [Boolean]
|
230
230
|
def bucket_key_enabled
|
231
231
|
data[:bucket_key_enabled]
|
@@ -611,7 +611,8 @@ module Aws::S3
|
|
611
611
|
# The value must be URL encoded.
|
612
612
|
#
|
613
613
|
# <note markdown="1"> Amazon S3 supports copy operations using access points only when the
|
614
|
-
# source and destination buckets are in the same
|
614
|
+
# source and destination buckets are in the same Amazon Web Services
|
615
|
+
# Region.
|
615
616
|
#
|
616
617
|
# </note>
|
617
618
|
#
|
@@ -702,20 +703,21 @@ module Aws::S3
|
|
702
703
|
# RFC 1321. Amazon S3 uses this header for a message integrity check to
|
703
704
|
# ensure that the encryption key was transmitted without error.
|
704
705
|
# @option options [String] :ssekms_key_id
|
705
|
-
# Specifies the
|
706
|
-
# PUT requests for an object protected by
|
707
|
-
# via SSL or using SigV4. For
|
708
|
-
#
|
709
|
-
#
|
710
|
-
#
|
706
|
+
# Specifies the Amazon Web Services KMS key ID to use for object
|
707
|
+
# encryption. All GET and PUT requests for an object protected by Amazon
|
708
|
+
# Web Services KMS will fail if not made via SSL or using SigV4. For
|
709
|
+
# information about configuring using any of the officially supported
|
710
|
+
# Amazon Web Services SDKs and Amazon Web Services CLI, see [Specifying
|
711
|
+
# the Signature Version in Request Authentication][1] in the *Amazon S3
|
712
|
+
# User Guide*.
|
711
713
|
#
|
712
714
|
#
|
713
715
|
#
|
714
716
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
715
717
|
# @option options [String] :ssekms_encryption_context
|
716
|
-
# Specifies the
|
717
|
-
# The value of this header is a base64-encoded UTF-8
|
718
|
-
# with the encryption context key-value pairs.
|
718
|
+
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
719
|
+
# object encryption. The value of this header is a base64-encoded UTF-8
|
720
|
+
# string holding JSON with the encryption context key-value pairs.
|
719
721
|
# @option options [Boolean] :bucket_key_enabled
|
720
722
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
721
723
|
# encryption with server-side encryption using AWS KMS (SSE-KMS).
|
@@ -803,7 +805,8 @@ module Aws::S3
|
|
803
805
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
804
806
|
# @option options [Boolean] :bypass_governance_retention
|
805
807
|
# Indicates whether S3 Object Lock should bypass Governance-mode
|
806
|
-
# restrictions to process this operation.
|
808
|
+
# restrictions to process this operation. To use this header, you must
|
809
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
807
810
|
# @option options [String] :expected_bucket_owner
|
808
811
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
809
812
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -1025,20 +1028,21 @@ module Aws::S3
|
|
1025
1028
|
# RFC 1321. Amazon S3 uses this header for a message integrity check to
|
1026
1029
|
# ensure that the encryption key was transmitted without error.
|
1027
1030
|
# @option options [String] :ssekms_key_id
|
1028
|
-
# Specifies the ID of the symmetric customer managed
|
1029
|
-
# for object encryption. All GET and PUT requests for an
|
1030
|
-
# protected by
|
1031
|
-
# information about configuring using any of the
|
1032
|
-
#
|
1031
|
+
# Specifies the ID of the symmetric customer managed Amazon Web Services
|
1032
|
+
# KMS CMK to use for object encryption. All GET and PUT requests for an
|
1033
|
+
# object protected by Amazon Web Services KMS will fail if not made via
|
1034
|
+
# SSL or using SigV4. For information about configuring using any of the
|
1035
|
+
# officially supported Amazon Web Services SDKs and Amazon Web Services
|
1036
|
+
# CLI, see [Specifying the Signature Version in Request
|
1033
1037
|
# Authentication][1] in the *Amazon S3 User Guide*.
|
1034
1038
|
#
|
1035
1039
|
#
|
1036
1040
|
#
|
1037
1041
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
1038
1042
|
# @option options [String] :ssekms_encryption_context
|
1039
|
-
# Specifies the
|
1040
|
-
# The value of this header is a base64-encoded UTF-8
|
1041
|
-
# with the encryption context key-value pairs.
|
1043
|
+
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
1044
|
+
# object encryption. The value of this header is a base64-encoded UTF-8
|
1045
|
+
# string holding JSON with the encryption context key-value pairs.
|
1042
1046
|
# @option options [Boolean] :bucket_key_enabled
|
1043
1047
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
1044
1048
|
# encryption with server-side encryption using AWS KMS (SSE-KMS).
|
@@ -1271,18 +1275,18 @@ module Aws::S3
|
|
1271
1275
|
# ensure that the encryption key was transmitted without error.
|
1272
1276
|
# @option options [String] :ssekms_key_id
|
1273
1277
|
# If `x-amz-server-side-encryption` is present and has the value of
|
1274
|
-
# `aws:kms`, this header specifies the ID of the
|
1275
|
-
# Service (
|
1276
|
-
# (CMK) that was used for the object. If you
|
1277
|
-
# `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
1278
|
-
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1279
|
-
# managed CMK in
|
1280
|
-
#
|
1281
|
-
# not just the ID.
|
1278
|
+
# `aws:kms`, this header specifies the ID of the Amazon Web Services Key
|
1279
|
+
# Management Service (Amazon Web Services KMS) symmetrical customer
|
1280
|
+
# managed customer master key (CMK) that was used for the object. If you
|
1281
|
+
# specify `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
1282
|
+
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1283
|
+
# Amazon Web Services managed CMK in Amazon Web Services to protect the
|
1284
|
+
# data. If the KMS key does not exist in the same account issuing the
|
1285
|
+
# command, you must use the full ARN and not just the ID.
|
1282
1286
|
# @option options [String] :ssekms_encryption_context
|
1283
|
-
# Specifies the
|
1284
|
-
# The value of this header is a base64-encoded UTF-8
|
1285
|
-
# with the encryption context key-value pairs.
|
1287
|
+
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
1288
|
+
# object encryption. The value of this header is a base64-encoded UTF-8
|
1289
|
+
# string holding JSON with the encryption context key-value pairs.
|
1286
1290
|
# @option options [Boolean] :bucket_key_enabled
|
1287
1291
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
1288
1292
|
# encryption with server-side encryption using AWS KMS (SSE-KMS).
|
@@ -1665,8 +1669,8 @@ module Aws::S3
|
|
1665
1669
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
1666
1670
|
# @option options [Boolean] :bypass_governance_retention
|
1667
1671
|
# Specifies whether you want to delete this object even if it has a
|
1668
|
-
# Governance-type Object Lock in place.
|
1669
|
-
#
|
1672
|
+
# Governance-type Object Lock in place. To use this header, you must
|
1673
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
1670
1674
|
# @option options [String] :expected_bucket_owner
|
1671
1675
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
1672
1676
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -247,8 +247,9 @@ module Aws::S3
|
|
247
247
|
# not corrupted in transit. For more information, go to [RFC
|
248
248
|
# 1864.>][1]
|
249
249
|
#
|
250
|
-
# For requests made using the
|
251
|
-
# SDKs, this field is calculated
|
250
|
+
# For requests made using the Amazon Web Services Command Line Interface
|
251
|
+
# (CLI) or Amazon Web Services SDKs, this field is calculated
|
252
|
+
# automatically.
|
252
253
|
#
|
253
254
|
#
|
254
255
|
#
|
@@ -55,13 +55,14 @@ module Aws::S3
|
|
55
55
|
# below:
|
56
56
|
#
|
57
57
|
# * Objects created by the PUT Object, POST Object, or Copy operation,
|
58
|
-
# or through the
|
59
|
-
# or plaintext, have ETags that are an MD5 digest
|
60
|
-
# data.
|
58
|
+
# or through the Amazon Web Services Management Console, and are
|
59
|
+
# encrypted by SSE-S3 or plaintext, have ETags that are an MD5 digest
|
60
|
+
# of their object data.
|
61
61
|
#
|
62
62
|
# * Objects created by the PUT Object, POST Object, or Copy operation,
|
63
|
-
# or through the
|
64
|
-
# SSE-KMS, have ETags that are not an MD5 digest
|
63
|
+
# or through the Amazon Web Services Management Console, and are
|
64
|
+
# encrypted by SSE-C or SSE-KMS, have ETags that are not an MD5 digest
|
65
|
+
# of their object data.
|
65
66
|
#
|
66
67
|
# * If an object is created by either the Multipart Upload or Part Copy
|
67
68
|
# operation, the ETag is not an MD5 digest, regardless of the method
|
@@ -354,7 +355,8 @@ module Aws::S3
|
|
354
355
|
# The value must be URL encoded.
|
355
356
|
#
|
356
357
|
# <note markdown="1"> Amazon S3 supports copy operations using access points only when the
|
357
|
-
# source and destination buckets are in the same
|
358
|
+
# source and destination buckets are in the same Amazon Web Services
|
359
|
+
# Region.
|
358
360
|
#
|
359
361
|
# </note>
|
360
362
|
#
|
@@ -445,20 +447,21 @@ module Aws::S3
|
|
445
447
|
# RFC 1321. Amazon S3 uses this header for a message integrity check to
|
446
448
|
# ensure that the encryption key was transmitted without error.
|
447
449
|
# @option options [String] :ssekms_key_id
|
448
|
-
# Specifies the
|
449
|
-
# PUT requests for an object protected by
|
450
|
-
# via SSL or using SigV4. For
|
451
|
-
#
|
452
|
-
#
|
453
|
-
#
|
450
|
+
# Specifies the Amazon Web Services KMS key ID to use for object
|
451
|
+
# encryption. All GET and PUT requests for an object protected by Amazon
|
452
|
+
# Web Services KMS will fail if not made via SSL or using SigV4. For
|
453
|
+
# information about configuring using any of the officially supported
|
454
|
+
# Amazon Web Services SDKs and Amazon Web Services CLI, see [Specifying
|
455
|
+
# the Signature Version in Request Authentication][1] in the *Amazon S3
|
456
|
+
# User Guide*.
|
454
457
|
#
|
455
458
|
#
|
456
459
|
#
|
457
460
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
458
461
|
# @option options [String] :ssekms_encryption_context
|
459
|
-
# Specifies the
|
460
|
-
# The value of this header is a base64-encoded UTF-8
|
461
|
-
# with the encryption context key-value pairs.
|
462
|
+
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
463
|
+
# object encryption. The value of this header is a base64-encoded UTF-8
|
464
|
+
# string holding JSON with the encryption context key-value pairs.
|
462
465
|
# @option options [Boolean] :bucket_key_enabled
|
463
466
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
464
467
|
# encryption with server-side encryption using AWS KMS (SSE-KMS).
|
@@ -546,7 +549,8 @@ module Aws::S3
|
|
546
549
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
547
550
|
# @option options [Boolean] :bypass_governance_retention
|
548
551
|
# Indicates whether S3 Object Lock should bypass Governance-mode
|
549
|
-
# restrictions to process this operation.
|
552
|
+
# restrictions to process this operation. To use this header, you must
|
553
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
550
554
|
# @option options [String] :expected_bucket_owner
|
551
555
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
552
556
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -768,20 +772,21 @@ module Aws::S3
|
|
768
772
|
# RFC 1321. Amazon S3 uses this header for a message integrity check to
|
769
773
|
# ensure that the encryption key was transmitted without error.
|
770
774
|
# @option options [String] :ssekms_key_id
|
771
|
-
# Specifies the ID of the symmetric customer managed
|
772
|
-
# for object encryption. All GET and PUT requests for an
|
773
|
-
# protected by
|
774
|
-
# information about configuring using any of the
|
775
|
-
#
|
775
|
+
# Specifies the ID of the symmetric customer managed Amazon Web Services
|
776
|
+
# KMS CMK to use for object encryption. All GET and PUT requests for an
|
777
|
+
# object protected by Amazon Web Services KMS will fail if not made via
|
778
|
+
# SSL or using SigV4. For information about configuring using any of the
|
779
|
+
# officially supported Amazon Web Services SDKs and Amazon Web Services
|
780
|
+
# CLI, see [Specifying the Signature Version in Request
|
776
781
|
# Authentication][1] in the *Amazon S3 User Guide*.
|
777
782
|
#
|
778
783
|
#
|
779
784
|
#
|
780
785
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version
|
781
786
|
# @option options [String] :ssekms_encryption_context
|
782
|
-
# Specifies the
|
783
|
-
# The value of this header is a base64-encoded UTF-8
|
784
|
-
# with the encryption context key-value pairs.
|
787
|
+
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
788
|
+
# object encryption. The value of this header is a base64-encoded UTF-8
|
789
|
+
# string holding JSON with the encryption context key-value pairs.
|
785
790
|
# @option options [Boolean] :bucket_key_enabled
|
786
791
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
787
792
|
# encryption with server-side encryption using AWS KMS (SSE-KMS).
|
@@ -1014,18 +1019,18 @@ module Aws::S3
|
|
1014
1019
|
# ensure that the encryption key was transmitted without error.
|
1015
1020
|
# @option options [String] :ssekms_key_id
|
1016
1021
|
# If `x-amz-server-side-encryption` is present and has the value of
|
1017
|
-
# `aws:kms`, this header specifies the ID of the
|
1018
|
-
# Service (
|
1019
|
-
# (CMK) that was used for the object. If you
|
1020
|
-
# `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
1021
|
-
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1022
|
-
# managed CMK in
|
1023
|
-
#
|
1024
|
-
# not just the ID.
|
1022
|
+
# `aws:kms`, this header specifies the ID of the Amazon Web Services Key
|
1023
|
+
# Management Service (Amazon Web Services KMS) symmetrical customer
|
1024
|
+
# managed customer master key (CMK) that was used for the object. If you
|
1025
|
+
# specify `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
1026
|
+
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1027
|
+
# Amazon Web Services managed CMK in Amazon Web Services to protect the
|
1028
|
+
# data. If the KMS key does not exist in the same account issuing the
|
1029
|
+
# command, you must use the full ARN and not just the ID.
|
1025
1030
|
# @option options [String] :ssekms_encryption_context
|
1026
|
-
# Specifies the
|
1027
|
-
# The value of this header is a base64-encoded UTF-8
|
1028
|
-
# with the encryption context key-value pairs.
|
1031
|
+
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
1032
|
+
# object encryption. The value of this header is a base64-encoded UTF-8
|
1033
|
+
# string holding JSON with the encryption context key-value pairs.
|
1029
1034
|
# @option options [Boolean] :bucket_key_enabled
|
1030
1035
|
# Specifies whether Amazon S3 should use an S3 Bucket Key for object
|
1031
1036
|
# encryption with server-side encryption using AWS KMS (SSE-KMS).
|
@@ -1331,8 +1336,8 @@ module Aws::S3
|
|
1331
1336
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
1332
1337
|
# @option options [Boolean] :bypass_governance_retention
|
1333
1338
|
# Specifies whether you want to delete this object even if it has a
|
1334
|
-
# Governance-type Object Lock in place.
|
1335
|
-
#
|
1339
|
+
# Governance-type Object Lock in place. To use this header, you must
|
1340
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
1336
1341
|
# @option options [String] :expected_bucket_owner
|
1337
1342
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
1338
1343
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -254,7 +254,8 @@ module Aws::S3
|
|
254
254
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
255
255
|
# @option options [Boolean] :bypass_governance_retention
|
256
256
|
# Indicates whether S3 Object Lock should bypass Governance-mode
|
257
|
-
# restrictions to process this operation.
|
257
|
+
# restrictions to process this operation. To use this header, you must
|
258
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
258
259
|
# @option options [String] :expected_bucket_owner
|
259
260
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
260
261
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -543,8 +544,8 @@ module Aws::S3
|
|
543
544
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
544
545
|
# @option options [Boolean] :bypass_governance_retention
|
545
546
|
# Specifies whether you want to delete this object even if it has a
|
546
|
-
# Governance-type Object Lock in place.
|
547
|
-
#
|
547
|
+
# Governance-type Object Lock in place. To use this header, you must
|
548
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
548
549
|
# @option options [String] :expected_bucket_owner
|
549
550
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
550
551
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -3,6 +3,7 @@
|
|
3
3
|
require_relative '../arn/access_point_arn'
|
4
4
|
require_relative '../arn/object_lambda_arn'
|
5
5
|
require_relative '../arn/outpost_access_point_arn'
|
6
|
+
require_relative '../arn/multi_region_access_point_arn'
|
6
7
|
|
7
8
|
module Aws
|
8
9
|
module S3
|
@@ -23,6 +24,18 @@ be made. Set to `false` to use the client's region instead.
|
|
23
24
|
resolve_s3_use_arn_region(cfg)
|
24
25
|
end
|
25
26
|
|
27
|
+
option(
|
28
|
+
:s3_disable_multiregion_access_points,
|
29
|
+
default: false,
|
30
|
+
doc_type: 'Boolean',
|
31
|
+
docstring: <<-DOCS) do |cfg|
|
32
|
+
When set to `false` this will option will raise errors when multi-region
|
33
|
+
access point ARNs are used. Multi-region access points can potentially
|
34
|
+
result in cross region requests.
|
35
|
+
DOCS
|
36
|
+
resolve_s3_disable_multiregion_access_points(cfg)
|
37
|
+
end
|
38
|
+
|
26
39
|
# param validator is validate:50
|
27
40
|
# endpoint is build:90 (populates the URI for the first time)
|
28
41
|
# endpoint pattern is build:10
|
@@ -113,8 +126,14 @@ be made. Set to `false` to use the client's region instead.
|
|
113
126
|
|
114
127
|
if !arn.support_dualstack? && context[:use_dualstack_endpoint]
|
115
128
|
raise ArgumentError,
|
116
|
-
'Cannot provide an Outpost Access Point
|
117
|
-
'`:use_dualstack_endpoint` is set to true.'
|
129
|
+
'Cannot provide an Outpost Access Point or Multi-region Access Point ARN'\
|
130
|
+
' when `:use_dualstack_endpoint` is set to true.'
|
131
|
+
end
|
132
|
+
|
133
|
+
if arn.region.empty? && context.config.s3_disable_multiregion_access_points
|
134
|
+
raise ArgumentError,
|
135
|
+
'Cannot provide a Multi-region Access Point ARN with '\
|
136
|
+
'`:s3_disable_multiregion_access_points` set to true'
|
118
137
|
end
|
119
138
|
end
|
120
139
|
end
|
@@ -147,7 +166,9 @@ be made. Set to `false` to use the client's region instead.
|
|
147
166
|
def resolve_arn_type!(arn)
|
148
167
|
case arn.service
|
149
168
|
when 's3'
|
150
|
-
|
169
|
+
arn.region.empty? ?
|
170
|
+
Aws::S3::MultiRegionAccessPointARN.new(arn.to_h) :
|
171
|
+
Aws::S3::AccessPointARN.new(arn.to_h)
|
151
172
|
when 's3-outposts'
|
152
173
|
Aws::S3::OutpostAccessPointARN.new(arn.to_h)
|
153
174
|
when 's3-object-lambda'
|
@@ -174,6 +195,21 @@ be made. Set to `false` to use the client's region instead.
|
|
174
195
|
value
|
175
196
|
end
|
176
197
|
|
198
|
+
def resolve_s3_disable_multiregion_access_points(cfg)
|
199
|
+
value = ENV['AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS'] ||
|
200
|
+
Aws.shared_config.s3_disable_multiregion_access_points(profile: cfg.profile) ||
|
201
|
+
'false'
|
202
|
+
value = Aws::Util.str_2_bool(value)
|
203
|
+
# Raise if provided value is not true or false
|
204
|
+
if value.nil?
|
205
|
+
raise ArgumentError,
|
206
|
+
'Must provide either `true` or `false` for '\
|
207
|
+
's3_use_arn_region profile option or for '\
|
208
|
+
"ENV['AWS_S3_USE_ARN_REGION']"
|
209
|
+
end
|
210
|
+
value
|
211
|
+
end
|
212
|
+
|
177
213
|
# Remove ARN from the path because we've already set the new host
|
178
214
|
def url_path(path, arn)
|
179
215
|
path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
|
@@ -208,16 +244,19 @@ be made. Set to `false` to use the client's region instead.
|
|
208
244
|
region = region.gsub('fips-', '').gsub('-fips', '')
|
209
245
|
end
|
210
246
|
|
211
|
-
#
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
247
|
+
# use_arn_region does not apply to MRAP (global) arns
|
248
|
+
unless arn.region.empty?
|
249
|
+
# Raise if the ARN and client regions are in different partitions
|
250
|
+
if use_arn_region &&
|
251
|
+
!Aws::Partitions.partition(arn.partition).region?(region)
|
252
|
+
raise Aws::Errors::InvalidARNPartitionError
|
253
|
+
end
|
216
254
|
|
217
|
-
|
218
|
-
|
219
|
-
|
220
|
-
|
255
|
+
# Raise if regions mismatch
|
256
|
+
# Either when it's a fips client or not using the ARN region
|
257
|
+
if (!use_arn_region || fips) && region != arn.region
|
258
|
+
raise Aws::Errors::InvalidARNRegionError
|
259
|
+
end
|
221
260
|
end
|
222
261
|
end
|
223
262
|
end
|