dvla-kaping 1.0.4 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 99f6221990bbf656183aec0b2880b716f67038fd43a8e4daa72a80004dc15d76
-  data.tar.gz: 20b2397b50c3c0e847b8a0b6b675b53755c90cfaf89674db85922bbb7e7a00c8
+  metadata.gz: 760f300cb49bc582101a24d6854ad96ca73094f81423971c47c85fcbc680992e
+  data.tar.gz: 756336c4dc3963e399f7af55e3564c7b3165388c331ae35dd8c2895bf337c278
 SHA512:
-  metadata.gz: 71ec529b6e6dedaa7655ad86b33acf5ccf2edac1d32a6f195eba38033134be880b928796e256efd63cb4cc9dde3d191488c4a781db54f851219a04859ecfa2a2
-  data.tar.gz: 0efa699c3eba860ed2b4b03d80fe9a4452eef8dd541e7c39690cb113f6bb715036fb01688acfd1e1be14351318885fdead1a961116749f5da185980df06ab5ef
+  metadata.gz: 5b3ecb88b4d6c7156921bd9afb8599045064725c0cfbf3158cefbe8e7b16e7cd365071e4c63cbbb0a4e07cf502bc5bf5fbb699587f5d8d68e7745cb9ce53f763
+  data.tar.gz: f6bca6eacf464d5ce73f8a1b3028f752e53dcd63969f338f6773028c10597e4974d9648b6c8d7801f44c26431eb2234dd982df8379f6cca1b89e5d55b3948fcf

data/.rubocop.yml

@@ -2,7 +2,7 @@ inherit_gem:
   dvla-lint: ".rubocop.yml"
 
 AllCops:
-  TargetRubyVersion: 3.0
+  TargetRubyVersion: 4.0
 
 Style/StringLiterals:
   EnforcedStyle: single_quotes

data/.ruby-version

@@ -1 +1 @@
-3.4.7
+4.0.2

data/.tool-versions

@@ -1 +1 @@
-ruby 3.4.7
+ruby 4.0.2

data/CHANGELOG.md

@@ -1,14 +1,19 @@
 ## [Unreleased]
 
-## [1.0.2] - 2024-11-07
+## [1.0.5] - 2025-11-10
 
-- Initial release
+- Fixed AWS credential handling to return proper credentials from assume role
+- Added AWS credential chain and SSO documentation to README
+
+## [1.0.4] - 2025-11-10
+
+- Update gems and fixed issue with git actions
 
 ## [1.0.3] - 2025-09-03
 
 - Moved runtime dependencies to the gemspec
 
-## [1.0.4] - 2025-11-10
+## [1.0.2] - 2024-11-07
 
-- Update gems and fixed issue with git actions
+- Initial release
 

data/README.md

@@ -74,18 +74,52 @@ kaping:
 
 ```
 If you want to use the built-in client, and your OpenSearch instance is hosted in a Amazon VPC you will need to assume AWS permissions for access to run the queries.
-there are two options, you can either use profile or environment
+There are two options, you can either use profile or environment
 
-Profile will just pick up the credentials save in your specified shared credentials ini file at ~/.aws/credentials, 
+Profile will just pick up the credentials saved in your specified shared credentials ini file at ~/.aws/credentials, 
 
 ```yml
   aws:
-    #  to use an AWS profile config file then set to profile, otherwise environment settings will be used
-    credential_type: profile
+    #  to use an AWS profile config file, then set to profile, otherwise environment settings will be used
+    credential_type: profile | env | credentials
     account_id: ##########
+    role: ROLE 
     region: aws-region
     profile: PROFILE
-    role: ROLE  
+     
+```
+
+### AWS Credential Chain
+
+The gem supports three credential strategies:
+
+| credential_type | How it works |
+|---|---|
+| `profile` | Uses the named profile from `~/.aws/config` to create an STS client, then assumes the configured role. Supports SSO profiles. |
+| `env` | Uses environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, or `AWS_PROFILE`) to create an STS client, then assumes the configured role. |
+| `credentials` | Delegates to the AWS SDK default credential provider chain, which walks through env vars → shared config/credentials → SSO → ECS/EC2 instance roles in order. No role assumption is performed. |
+
+### Using AWS SSO
+
+If your organisation uses AWS IAM Identity Center (SSO), authenticate first then set the profile:
+
+```bash
+aws sso login --profile my-sso-profile
+```
+
+Then either:
+- Set `credential_type: profile` and `profile: my-sso-profile` in your `kaping.yml`
+- Or set `credential_type: env` / `credentials` and export `AWS_PROFILE=my-sso-profile`
+
+The SDK will resolve the cached SSO token automatically. Ensure your `~/.aws/config` has the SSO profile configured, for example:
+
+```ini
+[profile my-sso-profile]
+sso_start_url = https://my-org.awsapps.com/start
+sso_region = eu-west-2
+sso_account_id = 123456789012
+sso_role_name = MyRole
+region = eu-west-2
 ```
 
 ## Client

data/lib/dvla/kaping/aws_client.rb

@@ -11,25 +11,34 @@ module DVLA
         @base_url = Kaping.yaml[:kaping_host]
         @aws_account_id = Kaping.yaml.dig(:aws, :account_id)
         @role = Kaping.yaml.dig(:aws, :role)
-        @region = Kaping.yaml.dig(:aws, :region)
-        Kaping.logger.info { "Kaping Client | base_url: '#{@base_url}'" }
+        @region = Kaping.yaml.dig(:aws, :region) || 'eu-west-2'
+        Kaping.logger.debug { "AWS Client | base_url: '#{@base_url}'" }
+      end
+
+      def select_credentials
+        case Kaping.yaml.dig(:aws, :credential_type)
+        when 'profile'
+          assume_role_profile(@aws_account_id, @role)
+        when 'env'
+          assume_role_env(@aws_account_id, @role)
+        when 'credentials'
+          Aws::CredentialProviderChain.new.resolve
+        else
+          logger.warn { 'Credential type not recognised, please set an option: profile, env or credentials' }
+        end
       end
 
       def connect
-        credentials = if Kaping.yaml.dig(:aws, :credential_type) == 'profile'
-                        assume_role_profile(@aws_account_id, @role)
-                      else
-                        assume_role_env(@aws_account_id, @role)
-                      end
+        credentials = select_credentials
 
         signer = Aws::Sigv4::Signer.new(service: 'es',
                                         region: @region,
                                         credentials_provider: credentials)
 
         OpenSearch::Aws::Sigv4Client.new({
-                                      host: @base_url,
-                                      log: false,
-                                    }, signer)
+                                           host: @base_url,
+                                           log: false,
+                                         }, signer)
       end
 
     private
@@ -38,7 +47,9 @@ module DVLA
       def assume_role_profile(aws_account_id, role)
         role_arn = "arn:aws:iam::#{aws_account_id}:role/#{role}"
         sts = Aws::STS::Client.new(region: @region, profile: Kaping.yaml.dig(:aws, :profile))
-        sts.assume_role(role_arn: role_arn, role_session_name: 'kaping')
+        resp = sts.assume_role(role_arn: role_arn, role_session_name: 'kaping')
+        Aws::Credentials.new(resp.credentials.access_key_id, resp.credentials.secret_access_key,
+                             resp.credentials.session_token)
       rescue Aws::STS::Errors::ServiceError => e
         raise "#{__method__}: AWS Profile Credentials Issue: #{e.message}  #{e.class.name}"
       end
@@ -47,7 +58,9 @@ module DVLA
       def assume_role_env(aws_account_id, role)
         role_arn = "arn:aws:iam::#{aws_account_id}:role/#{role}"
         sts = Aws::STS::Client.new(region: @region)
-        sts.assume_role(role_arn: role_arn, role_session_name: 'kaping')
+        resp = sts.assume_role(role_arn: role_arn, role_session_name: 'kaping')
+        Aws::Credentials.new(resp.credentials.access_key_id, resp.credentials.secret_access_key,
+                             resp.credentials.session_token)
       rescue Aws::STS::Errors::ServiceError => e
         raise "#{__method__}: AWS ENV Credentials Issue: #{e.message}  #{e.class.name}"
       end

data/lib/dvla/kaping/version.rb

@@ -2,6 +2,6 @@
 
 module DVLA
   module Kaping
-    VERSION = '1.0.4'
+    VERSION = '1.0.5'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dvla-kaping
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - Driver and Vehicle Licensing Agency (DVLA)
 - Kevin Upstill
 bindir: exe
 cert_chain: []
-date: 2025-11-12 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-sts
@@ -30,54 +30,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.8'
+        version: '1.12'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.8'
+        version: '1.12'
 - !ruby/object:Gem::Dependency
   name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.18'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.18.8
+        version: '1.19'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.18'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.18.8
+        version: '1.19'
 - !ruby/object:Gem::Dependency
   name: opensearch-aws-sigv4
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.2.1
+        version: '1.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.2.1
+        version: '1.3'
 description: Wrapper for the AWS elastic search API to create an idiomatic way to
   build complex search queries
 email:
@@ -118,14 +106,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3'
+      version: '4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 4.0.6
 specification_version: 4
 summary: Idiomatic way to create DSL openSearch definitions
 test_files: []