@jjrawlins/cdk-iam-policy-builder-helper 0.0.69 → 0.0.71

package/node_modules/@aws-sdk/credential-provider-node/dist-es/defaultProvider.js

@@ -1,18 +1,20 @@
 import { ENV_KEY, ENV_SECRET, fromEnv } from "@aws-sdk/credential-provider-env";
-import { chain, CredentialsProviderError, memoize } from "@smithy/property-provider";
+import { CredentialsProviderError } from "@smithy/property-provider";
 import { ENV_PROFILE } from "@smithy/shared-ini-file-loader";
 import { remoteProvider } from "./remoteProvider";
+import { memoizeChain } from "./runtime/memoize-chain";
 let multipleCredentialSourceWarningEmitted = false;
-export const defaultProvider = (init = {}) => memoize(chain(async () => {
-    const profile = init.profile ?? process.env[ENV_PROFILE];
-    if (profile) {
-        const envStaticCredentialsAreSet = process.env[ENV_KEY] && process.env[ENV_SECRET];
-        if (envStaticCredentialsAreSet) {
-            if (!multipleCredentialSourceWarningEmitted) {
-                const warnFn = init.logger?.warn && init.logger?.constructor?.name !== "NoOpLogger"
-                    ? init.logger.warn.bind(init.logger)
-                    : console.warn;
-                warnFn(`@aws-sdk/credential-provider-node - defaultProvider::fromEnv WARNING:
+export const defaultProvider = (init = {}) => memoizeChain([
+    async () => {
+        const profile = init.profile ?? process.env[ENV_PROFILE];
+        if (profile) {
+            const envStaticCredentialsAreSet = process.env[ENV_KEY] && process.env[ENV_SECRET];
+            if (envStaticCredentialsAreSet) {
+                if (!multipleCredentialSourceWarningEmitted) {
+                    const warnFn = init.logger?.warn && init.logger?.constructor?.name !== "NoOpLogger"
+                        ? init.logger.warn.bind(init.logger)
+                        : console.warn;
+                    warnFn(`@aws-sdk/credential-provider-node - defaultProvider::fromEnv WARNING:
     Multiple credential sources detected: 
     Both AWS_PROFILE and the pair AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY static credentials are set.
     This SDK will proceed with the AWS_PROFILE value.
@@ -21,44 +23,51 @@ export const defaultProvider = (init = {}) => memoize(chain(async () => {
     Please ensure that your environment only sets either the AWS_PROFILE or the
     AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY pair.
 `);
-                multipleCredentialSourceWarningEmitted = true;
+                    multipleCredentialSourceWarningEmitted = true;
+                }
             }
+            throw new CredentialsProviderError("AWS_PROFILE is set, skipping fromEnv provider.", {
+                logger: init.logger,
+                tryNextLink: true,
+            });
         }
-        throw new CredentialsProviderError("AWS_PROFILE is set, skipping fromEnv provider.", {
+        init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromEnv");
+        return fromEnv(init)();
+    },
+    async (awsIdentityProperties) => {
+        init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromSSO");
+        const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
+        if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
+            throw new CredentialsProviderError("Skipping SSO provider in default chain (inputs do not include SSO fields).", { logger: init.logger });
+        }
+        const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
+        return fromSSO(init)(awsIdentityProperties);
+    },
+    async (awsIdentityProperties) => {
+        init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromIni");
+        const { fromIni } = await import("@aws-sdk/credential-provider-ini");
+        return fromIni(init)(awsIdentityProperties);
+    },
+    async (awsIdentityProperties) => {
+        init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromProcess");
+        const { fromProcess } = await import("@aws-sdk/credential-provider-process");
+        return fromProcess(init)(awsIdentityProperties);
+    },
+    async (awsIdentityProperties) => {
+        init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromTokenFile");
+        const { fromTokenFile } = await import("@aws-sdk/credential-provider-web-identity");
+        return fromTokenFile(init)(awsIdentityProperties);
+    },
+    async () => {
+        init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::remoteProvider");
+        return (await remoteProvider(init))();
+    },
+    async () => {
+        throw new CredentialsProviderError("Could not load credentials from any providers", {
+            tryNextLink: false,
             logger: init.logger,
-            tryNextLink: true,
         });
-    }
-    init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromEnv");
-    return fromEnv(init)();
-}, async () => {
-    init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromSSO");
-    const { ssoStartUrl, ssoAccountId, ssoRegion, ssoRoleName, ssoSession } = init;
-    if (!ssoStartUrl && !ssoAccountId && !ssoRegion && !ssoRoleName && !ssoSession) {
-        throw new CredentialsProviderError("Skipping SSO provider in default chain (inputs do not include SSO fields).", { logger: init.logger });
-    }
-    const { fromSSO } = await import("@aws-sdk/credential-provider-sso");
-    return fromSSO(init)();
-}, async () => {
-    init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromIni");
-    const { fromIni } = await import("@aws-sdk/credential-provider-ini");
-    return fromIni(init)();
-}, async () => {
-    init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromProcess");
-    const { fromProcess } = await import("@aws-sdk/credential-provider-process");
-    return fromProcess(init)();
-}, async () => {
-    init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromTokenFile");
-    const { fromTokenFile } = await import("@aws-sdk/credential-provider-web-identity");
-    return fromTokenFile(init)();
-}, async () => {
-    init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::remoteProvider");
-    return (await remoteProvider(init))();
-}, async () => {
-    throw new CredentialsProviderError("Could not load credentials from any providers", {
-        tryNextLink: false,
-        logger: init.logger,
-    });
-}), credentialsTreatedAsExpired, credentialsWillNeedRefresh);
+    },
+], credentialsTreatedAsExpired);
 export const credentialsWillNeedRefresh = (credentials) => credentials?.expiration !== undefined;
 export const credentialsTreatedAsExpired = (credentials) => credentials?.expiration !== undefined && credentials.expiration.getTime() - Date.now() < 300000;

package/node_modules/@aws-sdk/credential-provider-node/dist-es/runtime/memoize-chain.js

@@ -0,0 +1,54 @@
+export function memoizeChain(providers, treatAsExpired) {
+    const chain = internalCreateChain(providers);
+    let activeLock;
+    let passiveLock;
+    let credentials;
+    const provider = async (options) => {
+        if (options?.forceRefresh) {
+            return await chain(options);
+        }
+        if (credentials?.expiration) {
+            if (credentials?.expiration?.getTime() < Date.now()) {
+                credentials = undefined;
+            }
+        }
+        if (activeLock) {
+            await activeLock;
+        }
+        else if (!credentials || treatAsExpired?.(credentials)) {
+            if (credentials) {
+                if (!passiveLock) {
+                    passiveLock = chain(options).then((c) => {
+                        credentials = c;
+                        passiveLock = undefined;
+                    });
+                }
+            }
+            else {
+                activeLock = chain(options).then((c) => {
+                    credentials = c;
+                    activeLock = undefined;
+                });
+                return provider(options);
+            }
+        }
+        return credentials;
+    };
+    return provider;
+}
+export const internalCreateChain = (providers) => async (awsIdentityProperties) => {
+    let lastProviderError;
+    for (const provider of providers) {
+        try {
+            return await provider(awsIdentityProperties);
+        }
+        catch (err) {
+            lastProviderError = err;
+            if (err?.tryNextLink) {
+                continue;
+            }
+            throw err;
+        }
+    }
+    throw lastProviderError;
+};

package/node_modules/@aws-sdk/credential-provider-node/dist-types/defaultProvider.d.ts

@@ -4,7 +4,8 @@ import type { FromProcessInit } from "@aws-sdk/credential-provider-process";
 import type { FromSSOInit, SsoCredentialsParameters } from "@aws-sdk/credential-provider-sso";
 import type { FromTokenFileInit } from "@aws-sdk/credential-provider-web-identity";
 import type { RemoteProviderInit } from "@smithy/credential-provider-imds";
-import { AwsCredentialIdentity, MemoizedProvider } from "@smithy/types";
+import type { AwsCredentialIdentity } from "@smithy/types";
+import { type MemoizedRuntimeConfigAwsCredentialIdentityProvider } from "./runtime/memoize-chain";
 /**
  * @public
  */
@@ -43,7 +44,7 @@ export type DefaultProviderInit = FromIniInit & FromHttpOptions & RemoteProvider
  * @see {@link fromContainerMetadata}   The function used to source credentials from the
  *                                      ECS Container Metadata Service.
  */
-export declare const defaultProvider: (init?: DefaultProviderInit) => MemoizedProvider<AwsCredentialIdentity>;
+export declare const defaultProvider: (init?: DefaultProviderInit) => MemoizedRuntimeConfigAwsCredentialIdentityProvider;
 /**
  * @internal
  *

package/node_modules/@aws-sdk/credential-provider-node/dist-types/runtime/memoize-chain.d.ts

@@ -0,0 +1,18 @@
+import type { AwsCredentialIdentity, AwsIdentityProperties, RuntimeConfigAwsCredentialIdentityProvider } from "@aws-sdk/types";
+/**
+ * Memoized provider chain for AWS credentials.
+ * The options are only reevaluated if forceRefresh=true is passed or a natural
+ * refresh occurs.
+ *
+ * @public
+ */
+export interface MemoizedRuntimeConfigAwsCredentialIdentityProvider {
+    (options?: AwsIdentityProperties & {
+        forceRefresh?: boolean;
+    }): Promise<AwsCredentialIdentity>;
+}
+/**
+ * @internal
+ */
+export declare function memoizeChain(providers: RuntimeConfigAwsCredentialIdentityProvider[], treatAsExpired: (resolved: AwsCredentialIdentity) => boolean): MemoizedRuntimeConfigAwsCredentialIdentityProvider;
+export declare const internalCreateChain: (providers: RuntimeConfigAwsCredentialIdentityProvider[]) => RuntimeConfigAwsCredentialIdentityProvider;

package/node_modules/@aws-sdk/credential-provider-node/dist-types/ts3.4/defaultProvider.d.ts

@@ -7,7 +7,8 @@ import {
 } from "@aws-sdk/credential-provider-sso";
 import { FromTokenFileInit } from "@aws-sdk/credential-provider-web-identity";
 import { RemoteProviderInit } from "@smithy/credential-provider-imds";
-import { AwsCredentialIdentity, MemoizedProvider } from "@smithy/types";
+import { AwsCredentialIdentity } from "@smithy/types";
+import { MemoizedRuntimeConfigAwsCredentialIdentityProvider } from "./runtime/memoize-chain";
 export type DefaultProviderInit = FromIniInit &
   FromHttpOptions &
   RemoteProviderInit &
@@ -16,7 +17,7 @@ export type DefaultProviderInit = FromIniInit &
   FromTokenFileInit;
 export declare const defaultProvider: (
   init?: DefaultProviderInit
-) => MemoizedProvider<AwsCredentialIdentity>;
+) => MemoizedRuntimeConfigAwsCredentialIdentityProvider;
 export declare const credentialsWillNeedRefresh: (
   credentials: AwsCredentialIdentity
 ) => boolean;

package/node_modules/@aws-sdk/credential-provider-node/dist-types/ts3.4/runtime/memoize-chain.d.ts

@@ -0,0 +1,19 @@
+import {
+  AwsCredentialIdentity,
+  AwsIdentityProperties,
+  RuntimeConfigAwsCredentialIdentityProvider,
+} from "@aws-sdk/types";
+export interface MemoizedRuntimeConfigAwsCredentialIdentityProvider {
+  (
+    options?: AwsIdentityProperties & {
+      forceRefresh?: boolean;
+    }
+  ): Promise<AwsCredentialIdentity>;
+}
+export declare function memoizeChain(
+  providers: RuntimeConfigAwsCredentialIdentityProvider[],
+  treatAsExpired: (resolved: AwsCredentialIdentity) => boolean
+): MemoizedRuntimeConfigAwsCredentialIdentityProvider;
+export declare const internalCreateChain: (
+  providers: RuntimeConfigAwsCredentialIdentityProvider[]
+) => RuntimeConfigAwsCredentialIdentityProvider;

package/node_modules/@aws-sdk/credential-provider-node/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/credential-provider-node",
-  "version": "3.919.0",
+  "version": "3.921.0",
   "description": "AWS credential provider that sources credentials from a Node.JS environment. ",
   "engines": {
     "node": ">=18.0.0"
@@ -15,7 +15,7 @@
     "build:types": "tsc -p tsconfig.types.json",
     "build:types:downlevel": "downlevel-dts dist-types dist-types/ts3.4",
     "clean": "rimraf ./dist-* && rimraf *.tsbuildinfo",
-    "test": "yarn g:vitest run",
+    "test": "yarn g:vitest run --reporter verbose",
     "test:watch": "yarn g:vitest watch",
     "test:integration": "yarn g:vitest run -c vitest.config.integ.mts",
     "test:integration:watch": "yarn g:vitest watch -c vitest.config.integ.mts"
@@ -31,17 +31,17 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/credential-provider-env": "3.916.0",
-    "@aws-sdk/credential-provider-http": "3.916.0",
-    "@aws-sdk/credential-provider-ini": "3.919.0",
-    "@aws-sdk/credential-provider-process": "3.916.0",
-    "@aws-sdk/credential-provider-sso": "3.919.0",
-    "@aws-sdk/credential-provider-web-identity": "3.919.0",
-    "@aws-sdk/types": "3.914.0",
-    "@smithy/credential-provider-imds": "^4.2.3",
-    "@smithy/property-provider": "^4.2.3",
-    "@smithy/shared-ini-file-loader": "^4.3.3",
-    "@smithy/types": "^4.8.0",
+    "@aws-sdk/credential-provider-env": "3.921.0",
+    "@aws-sdk/credential-provider-http": "3.921.0",
+    "@aws-sdk/credential-provider-ini": "3.921.0",
+    "@aws-sdk/credential-provider-process": "3.921.0",
+    "@aws-sdk/credential-provider-sso": "3.921.0",
+    "@aws-sdk/credential-provider-web-identity": "3.921.0",
+    "@aws-sdk/types": "3.921.0",
+    "@smithy/credential-provider-imds": "^4.2.4",
+    "@smithy/property-provider": "^4.2.4",
+    "@smithy/shared-ini-file-loader": "^4.3.4",
+    "@smithy/types": "^4.8.1",
     "tslib": "^2.6.2"
   },
   "devDependencies": {

package/node_modules/@aws-sdk/credential-provider-process/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/credential-provider-process",
-  "version": "3.916.0",
+  "version": "3.921.0",
   "description": "AWS credential provider that sources credential_process from ~/.aws/credentials and ~/.aws/config",
   "main": "./dist-cjs/index.js",
   "module": "./dist-es/index.js",
@@ -26,11 +26,11 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/core": "3.916.0",
-    "@aws-sdk/types": "3.914.0",
-    "@smithy/property-provider": "^4.2.3",
-    "@smithy/shared-ini-file-loader": "^4.3.3",
-    "@smithy/types": "^4.8.0",
+    "@aws-sdk/core": "3.921.0",
+    "@aws-sdk/types": "3.921.0",
+    "@smithy/property-provider": "^4.2.4",
+    "@smithy/shared-ini-file-loader": "^4.3.4",
+    "@smithy/types": "^4.8.1",
     "tslib": "^2.6.2"
   },
   "devDependencies": {

package/node_modules/@aws-sdk/credential-provider-sso/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/credential-provider-sso",
-  "version": "3.919.0",
+  "version": "3.921.0",
   "description": "AWS credential provider that exchanges a resolved SSO login token file for temporary AWS credentials",
   "main": "./dist-cjs/index.js",
   "module": "./dist-es/index.js",
@@ -26,13 +26,13 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/client-sso": "3.919.0",
-    "@aws-sdk/core": "3.916.0",
-    "@aws-sdk/token-providers": "3.919.0",
-    "@aws-sdk/types": "3.914.0",
-    "@smithy/property-provider": "^4.2.3",
-    "@smithy/shared-ini-file-loader": "^4.3.3",
-    "@smithy/types": "^4.8.0",
+    "@aws-sdk/client-sso": "3.921.0",
+    "@aws-sdk/core": "3.921.0",
+    "@aws-sdk/token-providers": "3.921.0",
+    "@aws-sdk/types": "3.921.0",
+    "@smithy/property-provider": "^4.2.4",
+    "@smithy/shared-ini-file-loader": "^4.3.4",
+    "@smithy/types": "^4.8.1",
     "tslib": "^2.6.2"
   },
   "devDependencies": {

package/node_modules/@aws-sdk/credential-provider-web-identity/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/credential-provider-web-identity",
-  "version": "3.919.0",
+  "version": "3.921.0",
   "description": "AWS credential provider that calls STS assumeRole for temporary AWS credentials",
   "main": "./dist-cjs/index.js",
   "module": "./dist-es/index.js",
@@ -34,12 +34,12 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/core": "3.916.0",
-    "@aws-sdk/nested-clients": "3.919.0",
-    "@aws-sdk/types": "3.914.0",
-    "@smithy/property-provider": "^4.2.3",
-    "@smithy/shared-ini-file-loader": "^4.3.3",
-    "@smithy/types": "^4.8.0",
+    "@aws-sdk/core": "3.921.0",
+    "@aws-sdk/nested-clients": "3.921.0",
+    "@aws-sdk/types": "3.921.0",
+    "@smithy/property-provider": "^4.2.4",
+    "@smithy/shared-ini-file-loader": "^4.3.4",
+    "@smithy/types": "^4.8.1",
     "tslib": "^2.6.2"
   },
   "devDependencies": {

package/node_modules/@aws-sdk/middleware-host-header/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/middleware-host-header",
-  "version": "3.914.0",
+  "version": "3.921.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline middleware-host-header",
@@ -25,9 +25,9 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/types": "3.914.0",
-    "@smithy/protocol-http": "^5.3.3",
-    "@smithy/types": "^4.8.0",
+    "@aws-sdk/types": "3.921.0",
+    "@smithy/protocol-http": "^5.3.4",
+    "@smithy/types": "^4.8.1",
     "tslib": "^2.6.2"
   },
   "engines": {

package/node_modules/@aws-sdk/middleware-logger/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/middleware-logger",
-  "version": "3.914.0",
+  "version": "3.921.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline middleware-logger",
@@ -25,8 +25,8 @@
   "module": "./dist-es/index.js",
   "types": "./dist-types/index.d.ts",
   "dependencies": {
-    "@aws-sdk/types": "3.914.0",
-    "@smithy/types": "^4.8.0",
+    "@aws-sdk/types": "3.921.0",
+    "@smithy/types": "^4.8.1",
     "tslib": "^2.6.2"
   },
   "devDependencies": {

package/node_modules/@aws-sdk/middleware-recursion-detection/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/middleware-recursion-detection",
-  "version": "3.919.0",
+  "version": "3.921.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline middleware-recursion-detection",
@@ -24,10 +24,10 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/types": "3.914.0",
+    "@aws-sdk/types": "3.921.0",
     "@aws/lambda-invoke-store": "^0.1.1",
-    "@smithy/protocol-http": "^5.3.3",
-    "@smithy/types": "^4.8.0",
+    "@smithy/protocol-http": "^5.3.4",
+    "@smithy/types": "^4.8.1",
     "tslib": "^2.6.2"
   },
   "engines": {

package/node_modules/@aws-sdk/middleware-user-agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws-sdk/middleware-user-agent",
-  "version": "3.916.0",
+  "version": "3.921.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline middleware-user-agent",
@@ -25,12 +25,12 @@
   },
   "license": "Apache-2.0",
   "dependencies": {
-    "@aws-sdk/core": "3.916.0",
-    "@aws-sdk/types": "3.914.0",
-    "@aws-sdk/util-endpoints": "3.916.0",
-    "@smithy/core": "^3.17.1",
-    "@smithy/protocol-http": "^5.3.3",
-    "@smithy/types": "^4.8.0",
+    "@aws-sdk/core": "3.921.0",
+    "@aws-sdk/types": "3.921.0",
+    "@aws-sdk/util-endpoints": "3.921.0",
+    "@smithy/core": "^3.17.2",
+    "@smithy/protocol-http": "^5.3.4",
+    "@smithy/types": "^4.8.1",
     "tslib": "^2.6.2"
   },
   "devDependencies": {

package/node_modules/@aws-sdk/nested-clients/dist-cjs/submodules/sso-oidc/endpoint/ruleset.js

@@ -2,6 +2,6 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ruleSet = void 0;
 const u = "required", v = "fn", w = "argv", x = "ref";
-const a = true, b = "isSet", c = "booleanEquals", d = "error", e = "endpoint", f = "tree", g = "PartitionResult", h = "getAttr", i = { [u]: false, "type": "String" }, j = { [u]: true, "default": false, "type": "Boolean" }, k = { [x]: "Endpoint" }, l = { [v]: c, [w]: [{ [x]: "UseFIPS" }, true] }, m = { [v]: c, [w]: [{ [x]: "UseDualStack" }, true] }, n = {}, o = { [v]: h, [w]: [{ [x]: g }, "supportsFIPS"] }, p = { [x]: g }, q = { [v]: c, [w]: [true, { [v]: h, [w]: [p, "supportsDualStack"] }] }, r = [l], s = [m], t = [{ [x]: "Region" }];
+const a = true, b = "isSet", c = "booleanEquals", d = "error", e = "endpoint", f = "tree", g = "PartitionResult", h = "getAttr", i = { [u]: false, "type": "string" }, j = { [u]: true, "default": false, "type": "boolean" }, k = { [x]: "Endpoint" }, l = { [v]: c, [w]: [{ [x]: "UseFIPS" }, true] }, m = { [v]: c, [w]: [{ [x]: "UseDualStack" }, true] }, n = {}, o = { [v]: h, [w]: [{ [x]: g }, "supportsFIPS"] }, p = { [x]: g }, q = { [v]: c, [w]: [true, { [v]: h, [w]: [p, "supportsDualStack"] }] }, r = [l], s = [m], t = [{ [x]: "Region" }];
 const _data = { version: "1.0", parameters: { Region: i, UseDualStack: j, UseFIPS: j, Endpoint: i }, rules: [{ conditions: [{ [v]: b, [w]: [k] }], rules: [{ conditions: r, error: "Invalid Configuration: FIPS and custom endpoint are not supported", type: d }, { conditions: s, error: "Invalid Configuration: Dualstack and custom endpoint are not supported", type: d }, { endpoint: { url: k, properties: n, headers: n }, type: e }], type: f }, { conditions: [{ [v]: b, [w]: t }], rules: [{ conditions: [{ [v]: "aws.partition", [w]: t, assign: g }], rules: [{ conditions: [l, m], rules: [{ conditions: [{ [v]: c, [w]: [a, o] }, q], rules: [{ endpoint: { url: "https://oidc-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", properties: n, headers: n }, type: e }], type: f }, { error: "FIPS and DualStack are enabled, but this partition does not support one or both", type: d }], type: f }, { conditions: r, rules: [{ conditions: [{ [v]: c, [w]: [o, a] }], rules: [{ conditions: [{ [v]: "stringEquals", [w]: [{ [v]: h, [w]: [p, "name"] }, "aws-us-gov"] }], endpoint: { url: "https://oidc.{Region}.amazonaws.com", properties: n, headers: n }, type: e }, { endpoint: { url: "https://oidc-fips.{Region}.{PartitionResult#dnsSuffix}", properties: n, headers: n }, type: e }], type: f }, { error: "FIPS is enabled but this partition does not support FIPS", type: d }], type: f }, { conditions: s, rules: [{ conditions: [q], rules: [{ endpoint: { url: "https://oidc.{Region}.{PartitionResult#dualStackDnsSuffix}", properties: n, headers: n }, type: e }], type: f }, { error: "DualStack is enabled but this partition does not support DualStack", type: d }], type: f }, { endpoint: { url: "https://oidc.{Region}.{PartitionResult#dnsSuffix}", properties: n, headers: n }, type: e }], type: f }], type: f }, { error: "Invalid Configuration: Missing Region", type: d }] };
 exports.ruleSet = _data;

package/node_modules/@aws-sdk/nested-clients/dist-cjs/submodules/sts/index.js

@@ -8,6 +8,7 @@ var EndpointParameters = require('./endpoint/EndpointParameters');
 var core = require('@aws-sdk/core');
 var protocolHttp = require('@smithy/protocol-http');
 var client = require('@aws-sdk/core/client');
+var regionConfigResolver = require('@aws-sdk/region-config-resolver');
 
 class STSServiceException extends smithyClient.ServiceException {
     constructor(options) {
@@ -679,7 +680,6 @@ class STS extends STSClient.STSClient {
 }
 smithyClient.createAggregatedClient(commands, STS);
 
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
 const getAccountIdFromAssumedRoleUser = (assumedRoleUser) => {
     if (typeof assumedRoleUser?.Arn === "string") {
         const arnComponents = assumedRoleUser.Arn.split(":");
@@ -689,11 +689,12 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser) => {
     }
     return undefined;
 };
-const resolveRegion = async (_region, _parentRegion, credentialProviderLogger) => {
+const resolveRegion = async (_region, _parentRegion, credentialProviderLogger, loaderConfig = {}) => {
     const region = typeof _region === "function" ? await _region() : _region;
     const parentRegion = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
-    credentialProviderLogger?.debug?.("@aws-sdk/client-sts::resolveRegion", "accepting first of:", `${region} (provider)`, `${parentRegion} (parent client)`, `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`);
-    return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+    const stsDefaultRegion = await regionConfigResolver.stsRegionDefaultResolver(loaderConfig)();
+    credentialProviderLogger?.debug?.("@aws-sdk/client-sts::resolveRegion", "accepting first of:", `${region} (credential provider clientConfig)`, `${parentRegion} (contextual client)`, `${stsDefaultRegion} (STS default: AWS_REGION, profile region, or us-east-1)`);
+    return region ?? parentRegion ?? stsDefaultRegion;
 };
 const getDefaultRoleAssumer$1 = (stsOptions, STSClient) => {
     let stsClient;
@@ -702,7 +703,10 @@ const getDefaultRoleAssumer$1 = (stsOptions, STSClient) => {
         closureSourceCreds = sourceCreds;
         if (!stsClient) {
             const { logger = stsOptions?.parentClientConfig?.logger, profile = stsOptions?.parentClientConfig?.profile, region, requestHandler = stsOptions?.parentClientConfig?.requestHandler, credentialProviderLogger, } = stsOptions;
-            const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger);
+            const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger, {
+                logger,
+                profile,
+            });
             const isCompatibleRequestHandler = !isH2(requestHandler);
             stsClient = new STSClient({
                 ...stsOptions,
@@ -735,7 +739,10 @@ const getDefaultRoleAssumerWithWebIdentity$1 = (stsOptions, STSClient) => {
     return async (params) => {
         if (!stsClient) {
             const { logger = stsOptions?.parentClientConfig?.logger, profile = stsOptions?.parentClientConfig?.profile, region, requestHandler = stsOptions?.parentClientConfig?.requestHandler, credentialProviderLogger, } = stsOptions;
-            const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger);
+            const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger, {
+                logger,
+                profile,
+            });
             const isCompatibleRequestHandler = !isH2(requestHandler);
             stsClient = new STSClient({
                 ...stsOptions,

package/node_modules/@aws-sdk/nested-clients/dist-es/submodules/sso-oidc/endpoint/ruleset.js

@@ -1,4 +1,4 @@
 const u = "required", v = "fn", w = "argv", x = "ref";
-const a = true, b = "isSet", c = "booleanEquals", d = "error", e = "endpoint", f = "tree", g = "PartitionResult", h = "getAttr", i = { [u]: false, "type": "String" }, j = { [u]: true, "default": false, "type": "Boolean" }, k = { [x]: "Endpoint" }, l = { [v]: c, [w]: [{ [x]: "UseFIPS" }, true] }, m = { [v]: c, [w]: [{ [x]: "UseDualStack" }, true] }, n = {}, o = { [v]: h, [w]: [{ [x]: g }, "supportsFIPS"] }, p = { [x]: g }, q = { [v]: c, [w]: [true, { [v]: h, [w]: [p, "supportsDualStack"] }] }, r = [l], s = [m], t = [{ [x]: "Region" }];
+const a = true, b = "isSet", c = "booleanEquals", d = "error", e = "endpoint", f = "tree", g = "PartitionResult", h = "getAttr", i = { [u]: false, "type": "string" }, j = { [u]: true, "default": false, "type": "boolean" }, k = { [x]: "Endpoint" }, l = { [v]: c, [w]: [{ [x]: "UseFIPS" }, true] }, m = { [v]: c, [w]: [{ [x]: "UseDualStack" }, true] }, n = {}, o = { [v]: h, [w]: [{ [x]: g }, "supportsFIPS"] }, p = { [x]: g }, q = { [v]: c, [w]: [true, { [v]: h, [w]: [p, "supportsDualStack"] }] }, r = [l], s = [m], t = [{ [x]: "Region" }];
 const _data = { version: "1.0", parameters: { Region: i, UseDualStack: j, UseFIPS: j, Endpoint: i }, rules: [{ conditions: [{ [v]: b, [w]: [k] }], rules: [{ conditions: r, error: "Invalid Configuration: FIPS and custom endpoint are not supported", type: d }, { conditions: s, error: "Invalid Configuration: Dualstack and custom endpoint are not supported", type: d }, { endpoint: { url: k, properties: n, headers: n }, type: e }], type: f }, { conditions: [{ [v]: b, [w]: t }], rules: [{ conditions: [{ [v]: "aws.partition", [w]: t, assign: g }], rules: [{ conditions: [l, m], rules: [{ conditions: [{ [v]: c, [w]: [a, o] }, q], rules: [{ endpoint: { url: "https://oidc-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", properties: n, headers: n }, type: e }], type: f }, { error: "FIPS and DualStack are enabled, but this partition does not support one or both", type: d }], type: f }, { conditions: r, rules: [{ conditions: [{ [v]: c, [w]: [o, a] }], rules: [{ conditions: [{ [v]: "stringEquals", [w]: [{ [v]: h, [w]: [p, "name"] }, "aws-us-gov"] }], endpoint: { url: "https://oidc.{Region}.amazonaws.com", properties: n, headers: n }, type: e }, { endpoint: { url: "https://oidc-fips.{Region}.{PartitionResult#dnsSuffix}", properties: n, headers: n }, type: e }], type: f }, { error: "FIPS is enabled but this partition does not support FIPS", type: d }], type: f }, { conditions: s, rules: [{ conditions: [q], rules: [{ endpoint: { url: "https://oidc.{Region}.{PartitionResult#dualStackDnsSuffix}", properties: n, headers: n }, type: e }], type: f }, { error: "DualStack is enabled but this partition does not support DualStack", type: d }], type: f }, { endpoint: { url: "https://oidc.{Region}.{PartitionResult#dnsSuffix}", properties: n, headers: n }, type: e }], type: f }], type: f }, { error: "Invalid Configuration: Missing Region", type: d }] };
 export const ruleSet = _data;

package/node_modules/@aws-sdk/nested-clients/dist-es/submodules/sts/defaultStsRoleAssumers.js

@@ -1,7 +1,7 @@
 import { setCredentialFeature } from "@aws-sdk/core/client";
+import { stsRegionDefaultResolver } from "@aws-sdk/region-config-resolver";
 import { AssumeRoleCommand } from "./commands/AssumeRoleCommand";
 import { AssumeRoleWithWebIdentityCommand, } from "./commands/AssumeRoleWithWebIdentityCommand";
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
 const getAccountIdFromAssumedRoleUser = (assumedRoleUser) => {
     if (typeof assumedRoleUser?.Arn === "string") {
         const arnComponents = assumedRoleUser.Arn.split(":");
@@ -11,11 +11,12 @@ const getAccountIdFromAssumedRoleUser = (assumedRoleUser) => {
     }
     return undefined;
 };
-const resolveRegion = async (_region, _parentRegion, credentialProviderLogger) => {
+const resolveRegion = async (_region, _parentRegion, credentialProviderLogger, loaderConfig = {}) => {
     const region = typeof _region === "function" ? await _region() : _region;
     const parentRegion = typeof _parentRegion === "function" ? await _parentRegion() : _parentRegion;
-    credentialProviderLogger?.debug?.("@aws-sdk/client-sts::resolveRegion", "accepting first of:", `${region} (provider)`, `${parentRegion} (parent client)`, `${ASSUME_ROLE_DEFAULT_REGION} (STS default)`);
-    return region ?? parentRegion ?? ASSUME_ROLE_DEFAULT_REGION;
+    const stsDefaultRegion = await stsRegionDefaultResolver(loaderConfig)();
+    credentialProviderLogger?.debug?.("@aws-sdk/client-sts::resolveRegion", "accepting first of:", `${region} (credential provider clientConfig)`, `${parentRegion} (contextual client)`, `${stsDefaultRegion} (STS default: AWS_REGION, profile region, or us-east-1)`);
+    return region ?? parentRegion ?? stsDefaultRegion;
 };
 export const getDefaultRoleAssumer = (stsOptions, STSClient) => {
     let stsClient;
@@ -24,7 +25,10 @@ export const getDefaultRoleAssumer = (stsOptions, STSClient) => {
         closureSourceCreds = sourceCreds;
         if (!stsClient) {
             const { logger = stsOptions?.parentClientConfig?.logger, profile = stsOptions?.parentClientConfig?.profile, region, requestHandler = stsOptions?.parentClientConfig?.requestHandler, credentialProviderLogger, } = stsOptions;
-            const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger);
+            const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger, {
+                logger,
+                profile,
+            });
             const isCompatibleRequestHandler = !isH2(requestHandler);
             stsClient = new STSClient({
                 ...stsOptions,
@@ -57,7 +61,10 @@ export const getDefaultRoleAssumerWithWebIdentity = (stsOptions, STSClient) => {
     return async (params) => {
         if (!stsClient) {
             const { logger = stsOptions?.parentClientConfig?.logger, profile = stsOptions?.parentClientConfig?.profile, region, requestHandler = stsOptions?.parentClientConfig?.requestHandler, credentialProviderLogger, } = stsOptions;
-            const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger);
+            const resolvedRegion = await resolveRegion(region, stsOptions?.parentClientConfig?.region, credentialProviderLogger, {
+                logger,
+                profile,
+            });
             const isCompatibleRequestHandler = !isH2(requestHandler);
             stsClient = new STSClient({
                 ...stsOptions,