aws-sdk-s3 1.99.0 → 1.103.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-s3/arn/multi_region_access_point_arn.rb +69 -0
- data/lib/aws-sdk-s3/bucket.rb +7 -7
- data/lib/aws-sdk-s3/client.rb +261 -244
- data/lib/aws-sdk-s3/client_api.rb +3 -0
- data/lib/aws-sdk-s3/encryption/client.rb +1 -1
- data/lib/aws-sdk-s3/encryption/decrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/encryptionV2/client.rb +1 -1
- data/lib/aws-sdk-s3/encryptionV2/decrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/encryptionV2/encrypt_handler.rb +0 -4
- data/lib/aws-sdk-s3/object.rb +22 -21
- data/lib/aws-sdk-s3/object_summary.rb +16 -15
- data/lib/aws-sdk-s3/object_version.rb +4 -3
- data/lib/aws-sdk-s3/plugins/arn.rb +51 -12
- data/lib/aws-sdk-s3/plugins/s3_signer.rb +10 -1
- data/lib/aws-sdk-s3/presigner.rb +6 -0
- data/lib/aws-sdk-s3/types.rb +82 -60
- data/lib/aws-sdk-s3.rb +1 -1
- metadata +8 -7
@@ -22,6 +22,7 @@ module Aws::S3
|
|
22
22
|
AcceptRanges = Shapes::StringShape.new(name: 'AcceptRanges')
|
23
23
|
AccessControlPolicy = Shapes::StructureShape.new(name: 'AccessControlPolicy')
|
24
24
|
AccessControlTranslation = Shapes::StructureShape.new(name: 'AccessControlTranslation')
|
25
|
+
AccessPointArn = Shapes::StringShape.new(name: 'AccessPointArn')
|
25
26
|
AccountId = Shapes::StringShape.new(name: 'AccountId')
|
26
27
|
AllowQuotedRecordDelimiter = Shapes::BooleanShape.new(name: 'AllowQuotedRecordDelimiter')
|
27
28
|
AllowedHeader = Shapes::StringShape.new(name: 'AllowedHeader')
|
@@ -1686,6 +1687,7 @@ module Aws::S3
|
|
1686
1687
|
|
1687
1688
|
MetricsAndOperator.add_member(:prefix, Shapes::ShapeRef.new(shape: Prefix, location_name: "Prefix"))
|
1688
1689
|
MetricsAndOperator.add_member(:tags, Shapes::ShapeRef.new(shape: TagSet, location_name: "Tag", metadata: {"flattened"=>true}))
|
1690
|
+
MetricsAndOperator.add_member(:access_point_arn, Shapes::ShapeRef.new(shape: AccessPointArn, location_name: "AccessPointArn"))
|
1689
1691
|
MetricsAndOperator.struct_class = Types::MetricsAndOperator
|
1690
1692
|
|
1691
1693
|
MetricsConfiguration.add_member(:id, Shapes::ShapeRef.new(shape: MetricsId, required: true, location_name: "Id"))
|
@@ -1696,6 +1698,7 @@ module Aws::S3
|
|
1696
1698
|
|
1697
1699
|
MetricsFilter.add_member(:prefix, Shapes::ShapeRef.new(shape: Prefix, location_name: "Prefix"))
|
1698
1700
|
MetricsFilter.add_member(:tag, Shapes::ShapeRef.new(shape: Tag, location_name: "Tag"))
|
1701
|
+
MetricsFilter.add_member(:access_point_arn, Shapes::ShapeRef.new(shape: AccessPointArn, location_name: "AccessPointArn"))
|
1699
1702
|
MetricsFilter.add_member(:and, Shapes::ShapeRef.new(shape: MetricsAndOperator, location_name: "And"))
|
1700
1703
|
MetricsFilter.struct_class = Types::MetricsFilter
|
1701
1704
|
|
@@ -165,10 +165,6 @@ module Aws
|
|
165
165
|
# to initialize the cipher, and the decrypter truncates the
|
166
166
|
# auth tag from the body when writing the final bytes.
|
167
167
|
def authenticated_decrypter(context, cipher, envelope)
|
168
|
-
if RUBY_VERSION.match(/^1.9/)
|
169
|
-
msg = 'authenticated decryption not supported by OpenSSL in Ruby version ~> 1.9'
|
170
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
171
|
-
end
|
172
168
|
http_resp = context.http_response
|
173
169
|
content_length = http_resp.headers['content-length'].to_i
|
174
170
|
auth_tag_length = auth_tag_length(envelope)
|
@@ -166,10 +166,6 @@ module Aws
|
|
166
166
|
# to initialize the cipher, and the decrypter truncates the
|
167
167
|
# auth tag from the body when writing the final bytes.
|
168
168
|
def authenticated_decrypter(context, cipher, envelope)
|
169
|
-
if RUBY_VERSION.match(/^1.9/)
|
170
|
-
msg = 'authenticated decryption not supported by OpenSSL in Ruby version ~> 1.9'
|
171
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
172
|
-
end
|
173
169
|
http_resp = context.http_response
|
174
170
|
content_length = http_resp.headers['content-length'].to_i
|
175
171
|
auth_tag_length = auth_tag_length(envelope)
|
@@ -9,10 +9,6 @@ module Aws
|
|
9
9
|
class EncryptHandler < Seahorse::Client::Handler
|
10
10
|
|
11
11
|
def call(context)
|
12
|
-
if RUBY_VERSION.match(/^1.9/)
|
13
|
-
raise "authenticated encryption not supported by OpenSSL in Ruby version ~> 1.9"
|
14
|
-
raise Aws::Errors::NonSupportedRubyVersionError, msg
|
15
|
-
end
|
16
12
|
envelope, cipher = context[:encryption][:cipher_provider]
|
17
13
|
.encryption_cipher(
|
18
14
|
kms_encryption_context: context[:encryption][:kms_encryption_context]
|
data/lib/aws-sdk-s3/object.rb
CHANGED
@@ -184,10 +184,10 @@ module Aws::S3
|
|
184
184
|
end
|
185
185
|
|
186
186
|
# If the object is stored using server-side encryption either with an
|
187
|
-
# Amazon Web Services KMS
|
188
|
-
#
|
189
|
-
#
|
190
|
-
#
|
187
|
+
# Amazon Web Services KMS key or an Amazon S3-managed encryption key,
|
188
|
+
# the response includes this header with the value of the server-side
|
189
|
+
# encryption algorithm used when storing this object in Amazon S3 (for
|
190
|
+
# example, AES256, aws:kms).
|
191
191
|
# @return [String]
|
192
192
|
def server_side_encryption
|
193
193
|
data[:server_side_encryption]
|
@@ -217,8 +217,8 @@ module Aws::S3
|
|
217
217
|
end
|
218
218
|
|
219
219
|
# If present, specifies the ID of the Amazon Web Services Key Management
|
220
|
-
# Service (Amazon Web Services KMS) symmetric customer managed
|
221
|
-
#
|
220
|
+
# Service (Amazon Web Services KMS) symmetric customer managed key that
|
221
|
+
# was used for the object.
|
222
222
|
# @return [String]
|
223
223
|
def ssekms_key_id
|
224
224
|
data[:ssekms_key_id]
|
@@ -805,7 +805,8 @@ module Aws::S3
|
|
805
805
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
806
806
|
# @option options [Boolean] :bypass_governance_retention
|
807
807
|
# Indicates whether S3 Object Lock should bypass Governance-mode
|
808
|
-
# restrictions to process this operation.
|
808
|
+
# restrictions to process this operation. To use this header, you must
|
809
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
809
810
|
# @option options [String] :expected_bucket_owner
|
810
811
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
811
812
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -1027,13 +1028,13 @@ module Aws::S3
|
|
1027
1028
|
# RFC 1321. Amazon S3 uses this header for a message integrity check to
|
1028
1029
|
# ensure that the encryption key was transmitted without error.
|
1029
1030
|
# @option options [String] :ssekms_key_id
|
1030
|
-
# Specifies the ID of the symmetric customer managed
|
1031
|
-
#
|
1032
|
-
#
|
1033
|
-
#
|
1034
|
-
#
|
1035
|
-
#
|
1036
|
-
#
|
1031
|
+
# Specifies the ID of the symmetric customer managed key to use for
|
1032
|
+
# object encryption. All GET and PUT requests for an object protected by
|
1033
|
+
# Amazon Web Services KMS will fail if not made via SSL or using SigV4.
|
1034
|
+
# For information about configuring using any of the officially
|
1035
|
+
# supported Amazon Web Services SDKs and Amazon Web Services CLI, see
|
1036
|
+
# [Specifying the Signature Version in Request Authentication][1] in the
|
1037
|
+
# *Amazon S3 User Guide*.
|
1037
1038
|
#
|
1038
1039
|
#
|
1039
1040
|
#
|
@@ -1276,12 +1277,12 @@ module Aws::S3
|
|
1276
1277
|
# If `x-amz-server-side-encryption` is present and has the value of
|
1277
1278
|
# `aws:kms`, this header specifies the ID of the Amazon Web Services Key
|
1278
1279
|
# Management Service (Amazon Web Services KMS) symmetrical customer
|
1279
|
-
# managed
|
1280
|
-
#
|
1280
|
+
# managed key that was used for the object. If you specify
|
1281
|
+
# `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
1281
1282
|
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1282
|
-
# Amazon Web Services managed
|
1283
|
-
#
|
1284
|
-
#
|
1283
|
+
# Amazon Web Services managed key to protect the data. If the KMS key
|
1284
|
+
# does not exist in the same account issuing the command, you must use
|
1285
|
+
# the full ARN and not just the ID.
|
1285
1286
|
# @option options [String] :ssekms_encryption_context
|
1286
1287
|
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
1287
1288
|
# object encryption. The value of this header is a base64-encoded UTF-8
|
@@ -1668,8 +1669,8 @@ module Aws::S3
|
|
1668
1669
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
1669
1670
|
# @option options [Boolean] :bypass_governance_retention
|
1670
1671
|
# Specifies whether you want to delete this object even if it has a
|
1671
|
-
# Governance-type Object Lock in place.
|
1672
|
-
#
|
1672
|
+
# Governance-type Object Lock in place. To use this header, you must
|
1673
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
1673
1674
|
# @option options [String] :expected_bucket_owner
|
1674
1675
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
1675
1676
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -549,7 +549,8 @@ module Aws::S3
|
|
549
549
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
550
550
|
# @option options [Boolean] :bypass_governance_retention
|
551
551
|
# Indicates whether S3 Object Lock should bypass Governance-mode
|
552
|
-
# restrictions to process this operation.
|
552
|
+
# restrictions to process this operation. To use this header, you must
|
553
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
553
554
|
# @option options [String] :expected_bucket_owner
|
554
555
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
555
556
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -771,13 +772,13 @@ module Aws::S3
|
|
771
772
|
# RFC 1321. Amazon S3 uses this header for a message integrity check to
|
772
773
|
# ensure that the encryption key was transmitted without error.
|
773
774
|
# @option options [String] :ssekms_key_id
|
774
|
-
# Specifies the ID of the symmetric customer managed
|
775
|
-
#
|
776
|
-
#
|
777
|
-
#
|
778
|
-
#
|
779
|
-
#
|
780
|
-
#
|
775
|
+
# Specifies the ID of the symmetric customer managed key to use for
|
776
|
+
# object encryption. All GET and PUT requests for an object protected by
|
777
|
+
# Amazon Web Services KMS will fail if not made via SSL or using SigV4.
|
778
|
+
# For information about configuring using any of the officially
|
779
|
+
# supported Amazon Web Services SDKs and Amazon Web Services CLI, see
|
780
|
+
# [Specifying the Signature Version in Request Authentication][1] in the
|
781
|
+
# *Amazon S3 User Guide*.
|
781
782
|
#
|
782
783
|
#
|
783
784
|
#
|
@@ -1020,12 +1021,12 @@ module Aws::S3
|
|
1020
1021
|
# If `x-amz-server-side-encryption` is present and has the value of
|
1021
1022
|
# `aws:kms`, this header specifies the ID of the Amazon Web Services Key
|
1022
1023
|
# Management Service (Amazon Web Services KMS) symmetrical customer
|
1023
|
-
# managed
|
1024
|
-
#
|
1024
|
+
# managed key that was used for the object. If you specify
|
1025
|
+
# `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
1025
1026
|
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
1026
|
-
# Amazon Web Services managed
|
1027
|
-
#
|
1028
|
-
#
|
1027
|
+
# Amazon Web Services managed key to protect the data. If the KMS key
|
1028
|
+
# does not exist in the same account issuing the command, you must use
|
1029
|
+
# the full ARN and not just the ID.
|
1029
1030
|
# @option options [String] :ssekms_encryption_context
|
1030
1031
|
# Specifies the Amazon Web Services KMS Encryption Context to use for
|
1031
1032
|
# object encryption. The value of this header is a base64-encoded UTF-8
|
@@ -1335,8 +1336,8 @@ module Aws::S3
|
|
1335
1336
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
1336
1337
|
# @option options [Boolean] :bypass_governance_retention
|
1337
1338
|
# Specifies whether you want to delete this object even if it has a
|
1338
|
-
# Governance-type Object Lock in place.
|
1339
|
-
#
|
1339
|
+
# Governance-type Object Lock in place. To use this header, you must
|
1340
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
1340
1341
|
# @option options [String] :expected_bucket_owner
|
1341
1342
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
1342
1343
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -254,7 +254,8 @@ module Aws::S3
|
|
254
254
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
255
255
|
# @option options [Boolean] :bypass_governance_retention
|
256
256
|
# Indicates whether S3 Object Lock should bypass Governance-mode
|
257
|
-
# restrictions to process this operation.
|
257
|
+
# restrictions to process this operation. To use this header, you must
|
258
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
258
259
|
# @option options [String] :expected_bucket_owner
|
259
260
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
260
261
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -543,8 +544,8 @@ module Aws::S3
|
|
543
544
|
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html
|
544
545
|
# @option options [Boolean] :bypass_governance_retention
|
545
546
|
# Specifies whether you want to delete this object even if it has a
|
546
|
-
# Governance-type Object Lock in place.
|
547
|
-
#
|
547
|
+
# Governance-type Object Lock in place. To use this header, you must
|
548
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
548
549
|
# @option options [String] :expected_bucket_owner
|
549
550
|
# The account ID of the expected bucket owner. If the bucket is owned by
|
550
551
|
# a different account, the request will fail with an HTTP `403 (Access
|
@@ -3,6 +3,7 @@
|
|
3
3
|
require_relative '../arn/access_point_arn'
|
4
4
|
require_relative '../arn/object_lambda_arn'
|
5
5
|
require_relative '../arn/outpost_access_point_arn'
|
6
|
+
require_relative '../arn/multi_region_access_point_arn'
|
6
7
|
|
7
8
|
module Aws
|
8
9
|
module S3
|
@@ -23,6 +24,18 @@ be made. Set to `false` to use the client's region instead.
|
|
23
24
|
resolve_s3_use_arn_region(cfg)
|
24
25
|
end
|
25
26
|
|
27
|
+
option(
|
28
|
+
:s3_disable_multiregion_access_points,
|
29
|
+
default: false,
|
30
|
+
doc_type: 'Boolean',
|
31
|
+
docstring: <<-DOCS) do |cfg|
|
32
|
+
When set to `false` this will option will raise errors when multi-region
|
33
|
+
access point ARNs are used. Multi-region access points can potentially
|
34
|
+
result in cross region requests.
|
35
|
+
DOCS
|
36
|
+
resolve_s3_disable_multiregion_access_points(cfg)
|
37
|
+
end
|
38
|
+
|
26
39
|
# param validator is validate:50
|
27
40
|
# endpoint is build:90 (populates the URI for the first time)
|
28
41
|
# endpoint pattern is build:10
|
@@ -113,8 +126,14 @@ be made. Set to `false` to use the client's region instead.
|
|
113
126
|
|
114
127
|
if !arn.support_dualstack? && context[:use_dualstack_endpoint]
|
115
128
|
raise ArgumentError,
|
116
|
-
'Cannot provide an Outpost Access Point
|
117
|
-
'`:use_dualstack_endpoint` is set to true.'
|
129
|
+
'Cannot provide an Outpost Access Point or Multi-region Access Point ARN'\
|
130
|
+
' when `:use_dualstack_endpoint` is set to true.'
|
131
|
+
end
|
132
|
+
|
133
|
+
if arn.region.empty? && context.config.s3_disable_multiregion_access_points
|
134
|
+
raise ArgumentError,
|
135
|
+
'Cannot provide a Multi-region Access Point ARN with '\
|
136
|
+
'`:s3_disable_multiregion_access_points` set to true'
|
118
137
|
end
|
119
138
|
end
|
120
139
|
end
|
@@ -147,7 +166,9 @@ be made. Set to `false` to use the client's region instead.
|
|
147
166
|
def resolve_arn_type!(arn)
|
148
167
|
case arn.service
|
149
168
|
when 's3'
|
150
|
-
|
169
|
+
arn.region.empty? ?
|
170
|
+
Aws::S3::MultiRegionAccessPointARN.new(arn.to_h) :
|
171
|
+
Aws::S3::AccessPointARN.new(arn.to_h)
|
151
172
|
when 's3-outposts'
|
152
173
|
Aws::S3::OutpostAccessPointARN.new(arn.to_h)
|
153
174
|
when 's3-object-lambda'
|
@@ -174,6 +195,21 @@ be made. Set to `false` to use the client's region instead.
|
|
174
195
|
value
|
175
196
|
end
|
176
197
|
|
198
|
+
def resolve_s3_disable_multiregion_access_points(cfg)
|
199
|
+
value = ENV['AWS_S3_DISABLE_MULTIREGION_ACCESS_POINTS'] ||
|
200
|
+
Aws.shared_config.s3_disable_multiregion_access_points(profile: cfg.profile) ||
|
201
|
+
'false'
|
202
|
+
value = Aws::Util.str_2_bool(value)
|
203
|
+
# Raise if provided value is not true or false
|
204
|
+
if value.nil?
|
205
|
+
raise ArgumentError,
|
206
|
+
'Must provide either `true` or `false` for '\
|
207
|
+
's3_use_arn_region profile option or for '\
|
208
|
+
"ENV['AWS_S3_USE_ARN_REGION']"
|
209
|
+
end
|
210
|
+
value
|
211
|
+
end
|
212
|
+
|
177
213
|
# Remove ARN from the path because we've already set the new host
|
178
214
|
def url_path(path, arn)
|
179
215
|
path = path.sub("/#{Seahorse::Util.uri_escape(arn.to_s)}", '')
|
@@ -208,16 +244,19 @@ be made. Set to `false` to use the client's region instead.
|
|
208
244
|
region = region.gsub('fips-', '').gsub('-fips', '')
|
209
245
|
end
|
210
246
|
|
211
|
-
#
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
247
|
+
# use_arn_region does not apply to MRAP (global) arns
|
248
|
+
unless arn.region.empty?
|
249
|
+
# Raise if the ARN and client regions are in different partitions
|
250
|
+
if use_arn_region &&
|
251
|
+
!Aws::Partitions.partition(arn.partition).region?(region)
|
252
|
+
raise Aws::Errors::InvalidARNPartitionError
|
253
|
+
end
|
216
254
|
|
217
|
-
|
218
|
-
|
219
|
-
|
220
|
-
|
255
|
+
# Raise if regions mismatch
|
256
|
+
# Either when it's a fips client or not using the ARN region
|
257
|
+
if (!use_arn_region || fips) && region != arn.region
|
258
|
+
raise Aws::Errors::InvalidARNRegionError
|
259
|
+
end
|
221
260
|
end
|
222
261
|
end
|
223
262
|
end
|
@@ -74,9 +74,17 @@ module Aws
|
|
74
74
|
credentials: context.config.credentials
|
75
75
|
)
|
76
76
|
elsif (arn = context.metadata[:s3_arn])
|
77
|
+
if arn[:arn].is_a?(MultiRegionAccessPointARN)
|
78
|
+
signing_region = '*'
|
79
|
+
signing_algorithm = :sigv4a
|
80
|
+
else
|
81
|
+
signing_region = arn[:resolved_region]
|
82
|
+
signing_algorithm = :sigv4
|
83
|
+
end
|
77
84
|
S3Signer.build_v4_signer(
|
78
85
|
service: arn[:arn].service,
|
79
|
-
|
86
|
+
signing_algorithm: signing_algorithm,
|
87
|
+
region: signing_region,
|
80
88
|
credentials: context.config.credentials
|
81
89
|
)
|
82
90
|
elsif context.operation.name == 'WriteGetObjectResponse'
|
@@ -216,6 +224,7 @@ module Aws
|
|
216
224
|
service: options[:service],
|
217
225
|
region: options[:region],
|
218
226
|
credentials_provider: options[:credentials],
|
227
|
+
signing_algorithm: options.fetch(:signing_algorithm, :sigv4),
|
219
228
|
uri_escape_path: false,
|
220
229
|
unsigned_headers: ['content-length', 'x-amzn-trace-id']
|
221
230
|
)
|
data/lib/aws-sdk-s3/presigner.rb
CHANGED
@@ -231,17 +231,23 @@ module Aws
|
|
231
231
|
end
|
232
232
|
http_req.endpoint.query = query.join('&') unless query.empty?
|
233
233
|
|
234
|
+
signing_algorithm = :sigv4
|
235
|
+
|
234
236
|
# If it's an ARN, get the resolved region and service
|
235
237
|
if (arn = context.metadata[:s3_arn])
|
236
238
|
region = arn[:resolved_region]
|
237
239
|
service = arn[:arn].service
|
240
|
+
region = arn[:arn].is_a?(MultiRegionAccessPointARN) ? '*': arn[:resolved_region]
|
241
|
+
signing_algorithm = arn[:arn].is_a?(MultiRegionAccessPointARN) ? :sigv4a : :sigv4
|
238
242
|
end
|
239
243
|
|
240
244
|
signer = Aws::Sigv4::Signer.new(
|
241
245
|
service: service || 's3',
|
242
246
|
region: region || context.config.region,
|
247
|
+
signing_algorithm: signing_algorithm,
|
243
248
|
credentials_provider: context.config.credentials,
|
244
249
|
unsigned_headers: unsigned_headers,
|
250
|
+
apply_checksum_header: false,
|
245
251
|
uri_escape_path: false
|
246
252
|
)
|
247
253
|
|
data/lib/aws-sdk-s3/types.rb
CHANGED
@@ -964,10 +964,10 @@ module Aws::S3
|
|
964
964
|
#
|
965
965
|
# @!attribute [rw] server_side_encryption
|
966
966
|
# If you specified server-side encryption either with an Amazon
|
967
|
-
# S3-managed encryption key or an Amazon Web Services KMS
|
968
|
-
#
|
969
|
-
#
|
970
|
-
#
|
967
|
+
# S3-managed encryption key or an Amazon Web Services KMS key in your
|
968
|
+
# initiate multipart upload request, the response includes this
|
969
|
+
# header. It confirms the encryption algorithm that Amazon S3 used to
|
970
|
+
# encrypt the object.
|
971
971
|
# @return [String]
|
972
972
|
#
|
973
973
|
# @!attribute [rw] version_id
|
@@ -978,7 +978,7 @@ module Aws::S3
|
|
978
978
|
# @!attribute [rw] ssekms_key_id
|
979
979
|
# If present, specifies the ID of the Amazon Web Services Key
|
980
980
|
# Management Service (Amazon Web Services KMS) symmetric customer
|
981
|
-
# managed
|
981
|
+
# managed key that was used for the object.
|
982
982
|
# @return [String]
|
983
983
|
#
|
984
984
|
# @!attribute [rw] bucket_key_enabled
|
@@ -1248,7 +1248,7 @@ module Aws::S3
|
|
1248
1248
|
# @!attribute [rw] ssekms_key_id
|
1249
1249
|
# If present, specifies the ID of the Amazon Web Services Key
|
1250
1250
|
# Management Service (Amazon Web Services KMS) symmetric customer
|
1251
|
-
# managed
|
1251
|
+
# managed key that was used for the object.
|
1252
1252
|
# @return [String]
|
1253
1253
|
#
|
1254
1254
|
# @!attribute [rw] ssekms_encryption_context
|
@@ -1917,7 +1917,7 @@ module Aws::S3
|
|
1917
1917
|
# @!attribute [rw] ssekms_key_id
|
1918
1918
|
# If present, specifies the ID of the Amazon Web Services Key
|
1919
1919
|
# Management Service (Amazon Web Services KMS) symmetric customer
|
1920
|
-
# managed
|
1920
|
+
# managed key that was used for the object.
|
1921
1921
|
# @return [String]
|
1922
1922
|
#
|
1923
1923
|
# @!attribute [rw] ssekms_encryption_context
|
@@ -2130,14 +2130,13 @@ module Aws::S3
|
|
2130
2130
|
# @return [String]
|
2131
2131
|
#
|
2132
2132
|
# @!attribute [rw] ssekms_key_id
|
2133
|
-
# Specifies the ID of the symmetric customer managed
|
2134
|
-
#
|
2135
|
-
#
|
2136
|
-
#
|
2137
|
-
#
|
2138
|
-
#
|
2139
|
-
#
|
2140
|
-
# User Guide*.
|
2133
|
+
# Specifies the ID of the symmetric customer managed key to use for
|
2134
|
+
# object encryption. All GET and PUT requests for an object protected
|
2135
|
+
# by Amazon Web Services KMS will fail if not made via SSL or using
|
2136
|
+
# SigV4. For information about configuring using any of the officially
|
2137
|
+
# supported Amazon Web Services SDKs and Amazon Web Services CLI, see
|
2138
|
+
# [Specifying the Signature Version in Request Authentication][1] in
|
2139
|
+
# the *Amazon S3 User Guide*.
|
2141
2140
|
#
|
2142
2141
|
#
|
2143
2142
|
#
|
@@ -2861,7 +2860,8 @@ module Aws::S3
|
|
2861
2860
|
#
|
2862
2861
|
# @!attribute [rw] bypass_governance_retention
|
2863
2862
|
# Indicates whether S3 Object Lock should bypass Governance-mode
|
2864
|
-
# restrictions to process this operation.
|
2863
|
+
# restrictions to process this operation. To use this header, you must
|
2864
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
2865
2865
|
# @return [Boolean]
|
2866
2866
|
#
|
2867
2867
|
# @!attribute [rw] expected_bucket_owner
|
@@ -3057,8 +3057,8 @@ module Aws::S3
|
|
3057
3057
|
#
|
3058
3058
|
# @!attribute [rw] bypass_governance_retention
|
3059
3059
|
# Specifies whether you want to delete this object even if it has a
|
3060
|
-
# Governance-type Object Lock in place.
|
3061
|
-
#
|
3060
|
+
# Governance-type Object Lock in place. To use this header, you must
|
3061
|
+
# have the `s3:PutBucketPublicAccessBlock` permission.
|
3062
3062
|
# @return [Boolean]
|
3063
3063
|
#
|
3064
3064
|
# @!attribute [rw] expected_bucket_owner
|
@@ -3265,11 +3265,10 @@ module Aws::S3
|
|
3265
3265
|
#
|
3266
3266
|
# @!attribute [rw] kms_key_id
|
3267
3267
|
# If the encryption type is `aws:kms`, this optional value specifies
|
3268
|
-
# the ID of the symmetric customer managed
|
3269
|
-
#
|
3270
|
-
#
|
3271
|
-
#
|
3272
|
-
# Service Developer Guide*.
|
3268
|
+
# the ID of the symmetric customer managed key to use for encryption
|
3269
|
+
# of job results. Amazon S3 only supports symmetric keys. For more
|
3270
|
+
# information, see [Using symmetric and asymmetric keys][1] in the
|
3271
|
+
# *Amazon Web Services Key Management Service Developer Guide*.
|
3273
3272
|
#
|
3274
3273
|
#
|
3275
3274
|
#
|
@@ -5482,7 +5481,7 @@ module Aws::S3
|
|
5482
5481
|
# @!attribute [rw] ssekms_key_id
|
5483
5482
|
# If present, specifies the ID of the Amazon Web Services Key
|
5484
5483
|
# Management Service (Amazon Web Services KMS) symmetric customer
|
5485
|
-
# managed
|
5484
|
+
# managed key that was used for the object.
|
5486
5485
|
# @return [String]
|
5487
5486
|
#
|
5488
5487
|
# @!attribute [rw] bucket_key_enabled
|
@@ -5606,6 +5605,9 @@ module Aws::S3
|
|
5606
5605
|
# bucket name. For more information about access point ARNs, see
|
5607
5606
|
# [Using access points][1] in the *Amazon S3 User Guide*.
|
5608
5607
|
#
|
5608
|
+
# When using an Object Lambda access point the hostname takes the form
|
5609
|
+
# *AccessPointName*-*AccountId*.s3-object-lambda.*Region*.amazonaws.com.
|
5610
|
+
#
|
5609
5611
|
# When using this action with Amazon S3 on Outposts, you must direct
|
5610
5612
|
# requests to the S3 on Outposts hostname. The S3 on Outposts hostname
|
5611
5613
|
# takes the form
|
@@ -6329,10 +6331,10 @@ module Aws::S3
|
|
6329
6331
|
#
|
6330
6332
|
# @!attribute [rw] server_side_encryption
|
6331
6333
|
# If the object is stored using server-side encryption either with an
|
6332
|
-
# Amazon Web Services KMS
|
6333
|
-
#
|
6334
|
-
#
|
6335
|
-
#
|
6334
|
+
# Amazon Web Services KMS key or an Amazon S3-managed encryption key,
|
6335
|
+
# the response includes this header with the value of the server-side
|
6336
|
+
# encryption algorithm used when storing this object in Amazon S3 (for
|
6337
|
+
# example, AES256, aws:kms).
|
6336
6338
|
# @return [String]
|
6337
6339
|
#
|
6338
6340
|
# @!attribute [rw] metadata
|
@@ -6355,7 +6357,7 @@ module Aws::S3
|
|
6355
6357
|
# @!attribute [rw] ssekms_key_id
|
6356
6358
|
# If present, specifies the ID of the Amazon Web Services Key
|
6357
6359
|
# Management Service (Amazon Web Services KMS) symmetric customer
|
6358
|
-
# managed
|
6360
|
+
# managed key that was used for the object.
|
6359
6361
|
# @return [String]
|
6360
6362
|
#
|
6361
6363
|
# @!attribute [rw] bucket_key_enabled
|
@@ -9047,6 +9049,7 @@ module Aws::S3
|
|
9047
9049
|
# value: "Value", # required
|
9048
9050
|
# },
|
9049
9051
|
# ],
|
9052
|
+
# access_point_arn: "AccessPointArn",
|
9050
9053
|
# }
|
9051
9054
|
#
|
9052
9055
|
# @!attribute [rw] prefix
|
@@ -9057,11 +9060,16 @@ module Aws::S3
|
|
9057
9060
|
# The list of tags used when evaluating an AND predicate.
|
9058
9061
|
# @return [Array<Types::Tag>]
|
9059
9062
|
#
|
9063
|
+
# @!attribute [rw] access_point_arn
|
9064
|
+
# The access point ARN used when evaluating an AND predicate.
|
9065
|
+
# @return [String]
|
9066
|
+
#
|
9060
9067
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/MetricsAndOperator AWS API Documentation
|
9061
9068
|
#
|
9062
9069
|
class MetricsAndOperator < Struct.new(
|
9063
9070
|
:prefix,
|
9064
|
-
:tags
|
9071
|
+
:tags,
|
9072
|
+
:access_point_arn)
|
9065
9073
|
SENSITIVE = []
|
9066
9074
|
include Aws::Structure
|
9067
9075
|
end
|
@@ -9071,8 +9079,7 @@ module Aws::S3
|
|
9071
9079
|
# If you're updating an existing metrics configuration, note that this
|
9072
9080
|
# is a full replacement of the existing metrics configuration. If you
|
9073
9081
|
# don't include the elements you want to keep, they are erased. For
|
9074
|
-
# more information, see [
|
9075
|
-
# Reference*.
|
9082
|
+
# more information, see [PutBucketMetricsConfiguration][1].
|
9076
9083
|
#
|
9077
9084
|
#
|
9078
9085
|
#
|
@@ -9089,6 +9096,7 @@ module Aws::S3
|
|
9089
9096
|
# key: "ObjectKey", # required
|
9090
9097
|
# value: "Value", # required
|
9091
9098
|
# },
|
9099
|
+
# access_point_arn: "AccessPointArn",
|
9092
9100
|
# and: {
|
9093
9101
|
# prefix: "Prefix",
|
9094
9102
|
# tags: [
|
@@ -9097,6 +9105,7 @@ module Aws::S3
|
|
9097
9105
|
# value: "Value", # required
|
9098
9106
|
# },
|
9099
9107
|
# ],
|
9108
|
+
# access_point_arn: "AccessPointArn",
|
9100
9109
|
# },
|
9101
9110
|
# },
|
9102
9111
|
# }
|
@@ -9108,7 +9117,8 @@ module Aws::S3
|
|
9108
9117
|
# @!attribute [rw] filter
|
9109
9118
|
# Specifies a metrics configuration filter. The metrics configuration
|
9110
9119
|
# will only include objects that meet the filter's criteria. A filter
|
9111
|
-
# must be a prefix,
|
9120
|
+
# must be a prefix, an object tag, an access point ARN, or a
|
9121
|
+
# conjunction (MetricsAndOperator).
|
9112
9122
|
# @return [Types::MetricsFilter]
|
9113
9123
|
#
|
9114
9124
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/MetricsConfiguration AWS API Documentation
|
@@ -9122,7 +9132,13 @@ module Aws::S3
|
|
9122
9132
|
|
9123
9133
|
# Specifies a metrics configuration filter. The metrics configuration
|
9124
9134
|
# only includes objects that meet the filter's criteria. A filter must
|
9125
|
-
# be a prefix,
|
9135
|
+
# be a prefix, an object tag, an access point ARN, or a conjunction
|
9136
|
+
# (MetricsAndOperator). For more information, see
|
9137
|
+
# [PutBucketMetricsConfiguration][1].
|
9138
|
+
#
|
9139
|
+
#
|
9140
|
+
#
|
9141
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketMetricsConfiguration.html
|
9126
9142
|
#
|
9127
9143
|
# @note When making an API call, you may pass MetricsFilter
|
9128
9144
|
# data as a hash:
|
@@ -9133,6 +9149,7 @@ module Aws::S3
|
|
9133
9149
|
# key: "ObjectKey", # required
|
9134
9150
|
# value: "Value", # required
|
9135
9151
|
# },
|
9152
|
+
# access_point_arn: "AccessPointArn",
|
9136
9153
|
# and: {
|
9137
9154
|
# prefix: "Prefix",
|
9138
9155
|
# tags: [
|
@@ -9141,6 +9158,7 @@ module Aws::S3
|
|
9141
9158
|
# value: "Value", # required
|
9142
9159
|
# },
|
9143
9160
|
# ],
|
9161
|
+
# access_point_arn: "AccessPointArn",
|
9144
9162
|
# },
|
9145
9163
|
# }
|
9146
9164
|
#
|
@@ -9152,6 +9170,10 @@ module Aws::S3
|
|
9152
9170
|
# The tag used when evaluating a metrics filter.
|
9153
9171
|
# @return [Types::Tag]
|
9154
9172
|
#
|
9173
|
+
# @!attribute [rw] access_point_arn
|
9174
|
+
# The access point ARN used when evaluating a metrics filter.
|
9175
|
+
# @return [String]
|
9176
|
+
#
|
9155
9177
|
# @!attribute [rw] and
|
9156
9178
|
# A conjunction (logical AND) of predicates, which is used in
|
9157
9179
|
# evaluating a metrics filter. The operator must have at least two
|
@@ -9164,6 +9186,7 @@ module Aws::S3
|
|
9164
9186
|
class MetricsFilter < Struct.new(
|
9165
9187
|
:prefix,
|
9166
9188
|
:tag,
|
9189
|
+
:access_point_arn,
|
9167
9190
|
:and)
|
9168
9191
|
SENSITIVE = []
|
9169
9192
|
include Aws::Structure
|
@@ -10392,10 +10415,10 @@ module Aws::S3
|
|
10392
10415
|
#
|
10393
10416
|
# @!attribute [rw] bucket
|
10394
10417
|
# Specifies default encryption for a bucket using server-side
|
10395
|
-
# encryption with Amazon S3-managed keys (SSE-S3) or customer
|
10396
|
-
# keys
|
10397
|
-
#
|
10398
|
-
#
|
10418
|
+
# encryption with Amazon S3-managed keys (SSE-S3) or customer managed
|
10419
|
+
# keys (SSE-KMS). For information about the Amazon S3 default
|
10420
|
+
# encryption feature, see [Amazon S3 Default Bucket Encryption][1] in
|
10421
|
+
# the *Amazon S3 User Guide*.
|
10399
10422
|
#
|
10400
10423
|
#
|
10401
10424
|
#
|
@@ -10777,6 +10800,7 @@ module Aws::S3
|
|
10777
10800
|
# key: "ObjectKey", # required
|
10778
10801
|
# value: "Value", # required
|
10779
10802
|
# },
|
10803
|
+
# access_point_arn: "AccessPointArn",
|
10780
10804
|
# and: {
|
10781
10805
|
# prefix: "Prefix",
|
10782
10806
|
# tags: [
|
@@ -10785,6 +10809,7 @@ module Aws::S3
|
|
10785
10809
|
# value: "Value", # required
|
10786
10810
|
# },
|
10787
10811
|
# ],
|
10812
|
+
# access_point_arn: "AccessPointArn",
|
10788
10813
|
# },
|
10789
10814
|
# },
|
10790
10815
|
# },
|
@@ -11838,10 +11863,9 @@ module Aws::S3
|
|
11838
11863
|
#
|
11839
11864
|
# @!attribute [rw] server_side_encryption
|
11840
11865
|
# If you specified server-side encryption either with an Amazon Web
|
11841
|
-
# Services KMS
|
11842
|
-
#
|
11843
|
-
#
|
11844
|
-
# encrypt the object.
|
11866
|
+
# Services KMS key or Amazon S3-managed encryption key in your PUT
|
11867
|
+
# request, the response includes this header. It confirms the
|
11868
|
+
# encryption algorithm that Amazon S3 used to encrypt the object.
|
11845
11869
|
# @return [String]
|
11846
11870
|
#
|
11847
11871
|
# @!attribute [rw] version_id
|
@@ -11865,7 +11889,7 @@ module Aws::S3
|
|
11865
11889
|
# If `x-amz-server-side-encryption` is present and has the value of
|
11866
11890
|
# `aws:kms`, this header specifies the ID of the Amazon Web Services
|
11867
11891
|
# Key Management Service (Amazon Web Services KMS) symmetric customer
|
11868
|
-
# managed
|
11892
|
+
# managed key that was used for the object.
|
11869
11893
|
# @return [String]
|
11870
11894
|
#
|
11871
11895
|
# @!attribute [rw] ssekms_encryption_context
|
@@ -12167,13 +12191,12 @@ module Aws::S3
|
|
12167
12191
|
# If `x-amz-server-side-encryption` is present and has the value of
|
12168
12192
|
# `aws:kms`, this header specifies the ID of the Amazon Web Services
|
12169
12193
|
# Key Management Service (Amazon Web Services KMS) symmetrical
|
12170
|
-
# customer managed
|
12171
|
-
#
|
12172
|
-
#
|
12173
|
-
#
|
12174
|
-
#
|
12175
|
-
#
|
12176
|
-
# the ID.
|
12194
|
+
# customer managed key that was used for the object. If you specify
|
12195
|
+
# `x-amz-server-side-encryption:aws:kms`, but do not provide`
|
12196
|
+
# x-amz-server-side-encryption-aws-kms-key-id`, Amazon S3 uses the
|
12197
|
+
# Amazon Web Services managed key to protect the data. If the KMS key
|
12198
|
+
# does not exist in the same account issuing the command, you must use
|
12199
|
+
# the full ARN and not just the ID.
|
12177
12200
|
# @return [String]
|
12178
12201
|
#
|
12179
12202
|
# @!attribute [rw] ssekms_encryption_context
|
@@ -13021,8 +13044,8 @@ module Aws::S3
|
|
13021
13044
|
# source objects that you want to replicate. You can choose to enable
|
13022
13045
|
# or disable the replication of these objects. Currently, Amazon S3
|
13023
13046
|
# supports only the filter that you can specify for objects created
|
13024
|
-
# with server-side encryption using a customer
|
13025
|
-
#
|
13047
|
+
# with server-side encryption using a customer managed key stored in
|
13048
|
+
# Amazon Web Services Key Management Service (SSE-KMS).
|
13026
13049
|
# @return [Types::SourceSelectionCriteria]
|
13027
13050
|
#
|
13028
13051
|
# @!attribute [rw] existing_object_replication
|
@@ -13901,8 +13924,8 @@ module Aws::S3
|
|
13901
13924
|
#
|
13902
13925
|
# @!attribute [rw] key_id
|
13903
13926
|
# Specifies the ID of the Amazon Web Services Key Management Service
|
13904
|
-
# (Amazon Web Services KMS) symmetric customer managed
|
13905
|
-
#
|
13927
|
+
# (Amazon Web Services KMS) symmetric customer managed key to use for
|
13928
|
+
# encrypting inventory reports.
|
13906
13929
|
# @return [String]
|
13907
13930
|
#
|
13908
13931
|
# @see http://docs.aws.amazon.com/goto/WebAPI/s3-2006-03-01/SSEKMS AWS API Documentation
|
@@ -14343,8 +14366,8 @@ module Aws::S3
|
|
14343
14366
|
# source objects that you want to replicate. You can choose to enable or
|
14344
14367
|
# disable the replication of these objects. Currently, Amazon S3
|
14345
14368
|
# supports only the filter that you can specify for objects created with
|
14346
|
-
# server-side encryption using a customer
|
14347
|
-
#
|
14369
|
+
# server-side encryption using a customer managed key stored in Amazon
|
14370
|
+
# Web Services Key Management Service (SSE-KMS).
|
14348
14371
|
#
|
14349
14372
|
# @note When making an API call, you may pass SourceSelectionCriteria
|
14350
14373
|
# data as a hash:
|
@@ -14836,7 +14859,7 @@ module Aws::S3
|
|
14836
14859
|
# @!attribute [rw] ssekms_key_id
|
14837
14860
|
# If present, specifies the ID of the Amazon Web Services Key
|
14838
14861
|
# Management Service (Amazon Web Services KMS) symmetric customer
|
14839
|
-
# managed
|
14862
|
+
# managed key that was used for the object.
|
14840
14863
|
# @return [String]
|
14841
14864
|
#
|
14842
14865
|
# @!attribute [rw] bucket_key_enabled
|
@@ -15118,7 +15141,7 @@ module Aws::S3
|
|
15118
15141
|
# @!attribute [rw] ssekms_key_id
|
15119
15142
|
# If present, specifies the ID of the Amazon Web Services Key
|
15120
15143
|
# Management Service (Amazon Web Services KMS) symmetric customer
|
15121
|
-
# managed
|
15144
|
+
# managed key was used for the object.
|
15122
15145
|
# @return [String]
|
15123
15146
|
#
|
15124
15147
|
# @!attribute [rw] bucket_key_enabled
|
@@ -15614,8 +15637,7 @@ module Aws::S3
|
|
15614
15637
|
# @!attribute [rw] ssekms_key_id
|
15615
15638
|
# If present, specifies the ID of the Amazon Web Services Key
|
15616
15639
|
# Management Service (Amazon Web Services KMS) symmetric customer
|
15617
|
-
# managed
|
15618
|
-
# S3 object.
|
15640
|
+
# managed key that was used for stored in Amazon S3 object.
|
15619
15641
|
# @return [String]
|
15620
15642
|
#
|
15621
15643
|
# @!attribute [rw] sse_customer_key_md5
|