diff --git a/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/endpoints_module.rb b/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/endpoints_module.rb index cd4a59a6d04..4b60720c4be 100644 --- a/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/endpoints_module.rb +++ b/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/endpoints_module.rb @@ -42,10 +42,6 @@ def initialize(options) # @return [Array] attr_reader :parameters - - def has_endpoint_built_in? - parameters.any? { |p| p.param_data['builtIn'] == 'SDK::Endpoint' } - end end class EndpointParameter @@ -134,6 +130,8 @@ def built_in_client_context_param_value(param_data) else 'context.config.use_dualstack_endpoint' end + when 'AWS::Auth::CredentialScope' + 'context.config.credentials.credentials.credential_scope' when 'AWS::STS::UseGlobalEndpoint' "context.config.sts_regional_endpoints == 'legacy'" when 'AWS::S3::UseGlobalEndpoint' @@ -151,7 +149,7 @@ def built_in_client_context_param_value(param_data) when 'AWS::S3::DisableMultiRegionAccessPoints' 'context.config.s3_disable_multiregion_access_points' when 'SDK::Endpoint' - 'endpoint' + 'context.config.regional_endpoint ? nil : context.config.endpoint.to_s' end end diff --git a/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/spec/endpoint_provider_spec_class.rb b/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/spec/endpoint_provider_spec_class.rb index dda46ea185d..160a175640a 100644 --- a/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/spec/endpoint_provider_spec_class.rb +++ b/build_tools/aws-sdk-code-generator/lib/aws-sdk-code-generator/views/spec/endpoint_provider_spec_class.rb @@ -51,9 +51,9 @@ def initialize(options) operation_name: Underscore.underscore( operation_inputs_test['operationName'] ), - operation_params: operation_inputs_test['operationParams'] || [], - built_in_params: operation_inputs_test['builtInParams'] || [], - client_params: operation_inputs_test['clientParams'] || [] + operation_params: operation_inputs_test['operationParams'] || {}, + built_in_params: operation_inputs_test['builtInParams'] || {}, + client_params: operation_inputs_test['clientParams'] || {} ) end end @@ -117,12 +117,13 @@ def initialize(options) @client_params = options[:client_params].map do |k,v| Param.new(Underscore.underscore(k), v) end - @client_params += options[:built_in_params].map do |k,v| built_in_to_param(k, v) end - # the expected default of UseGlobalEndpoint does not match the SDK's default value - if @service.identifier == 's3' && !options[:built_in_params].include?('AWS::S3::UseGlobalEndpoint') + # the expected default of UseGlobalEndpoint in rules + # does not match the Ruby SDK's default value + if @service.identifier == 's3' && + !options[:built_in_params].include?('AWS::S3::UseGlobalEndpoint') @client_params << built_in_to_param('AWS::S3::UseGlobalEndpoint', false) end end @@ -158,6 +159,12 @@ def built_in_to_param(built_in, value) Param.new('use_fips_endpoint', value) when 'AWS::UseDualStack' Param.new('use_dualstack_endpoint', value) + when 'AWS::Auth::CredentialScope' + Param.new( + 'credentials', + "Aws::Credentials.new('stubbed-akid', 'stubbed-secret', credential_scope: '#{value}')", + true + ) when 'AWS::STS::UseGlobalEndpoint' Param.new('sts_regional_endpoints', value ? 'legacy' : 'regional') when 'AWS::S3::UseGlobalEndpoint' @@ -166,9 +173,7 @@ def built_in_to_param(built_in, value) Param.new('use_accelerate_endpoint', value) when 'AWS::S3::ForcePathStyle' Param.new('force_path_style', value) - when 'AWS::S3::UseArnRegion' - Param.new('s3_use_arn_region', value) - when 'AWS::S3Control::UseArnRegion' + when 'AWS::S3::UseArnRegion', 'AWS::S3Control::UseArnRegion' Param.new('s3_use_arn_region', value) when 'AWS::S3::DisableMultiRegionAccessPoints' Param.new('s3_disable_multiregion_access_points', value) @@ -181,14 +186,16 @@ def built_in_to_param(built_in, value) end class Param - def initialize(param, value) + def initialize(param, value, literal = false) @param = param @value = value + @literal = literal end + attr_accessor :param def value - if @value.is_a? String + if @value.is_a?(String) && !@literal "'#{@value}'" else @value diff --git a/build_tools/aws-sdk-code-generator/templates/endpoints_module.mustache b/build_tools/aws-sdk-code-generator/templates/endpoints_module.mustache index 7ae625341e5..a93a5860b8a 100644 --- a/build_tools/aws-sdk-code-generator/templates/endpoints_module.mustache +++ b/build_tools/aws-sdk-code-generator/templates/endpoints_module.mustache @@ -11,11 +11,6 @@ module {{module_name}} {{#endpoint_classes}} class {{name}} def self.build(context) - {{#has_endpoint_built_in?}} - unless context.config.regional_endpoint - endpoint = context.config.endpoint.to_s - end - {{/has_endpoint_built_in?}} {{module_name}}::EndpointParameters.new( {{#parameters}} {{#static_string?}} diff --git a/build_tools/aws-sdk-code-generator/templates/spec/endpoint_provider_spec_class.mustache b/build_tools/aws-sdk-code-generator/templates/spec/endpoint_provider_spec_class.mustache index 113dd74f293..ca34cacdb32 100644 --- a/build_tools/aws-sdk-code-generator/templates/spec/endpoint_provider_spec_class.mustache +++ b/build_tools/aws-sdk-code-generator/templates/spec/endpoint_provider_spec_class.mustache @@ -11,7 +11,7 @@ module {{module_name}} subject { {{module_name}}::EndpointProvider.new } {{#endpoint_tests}} - context '{{documentation}}' do + context "{{{documentation}}}" do let(:expected) do {{{expect}}} end diff --git a/build_tools/services.rb b/build_tools/services.rb index c722dc5c8de..2b93d89554c 100644 --- a/build_tools/services.rb +++ b/build_tools/services.rb @@ -10,7 +10,7 @@ class ServiceEnumerator MANIFEST_PATH = File.expand_path('../../services.json', __FILE__) # Minimum `aws-sdk-core` version for new gem builds - MINIMUM_CORE_VERSION = "3.188.0" + MINIMUM_CORE_VERSION = "3.189.0" # Minimum `aws-sdk-core` version for new S3 gem builds MINIMUM_CORE_VERSION_S3 = "3.189.0" diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md index 1dc605b5a19..1ff7e143bf9 100644 --- a/gems/aws-sdk-core/CHANGELOG.md +++ b/gems/aws-sdk-core/CHANGELOG.md @@ -1,6 +1,8 @@ Unreleased Changes ------------------ +* Feature - Support Credential scoped credentials using `ENV['AWS_CREDENTIAL_SCOPE']`, `aws_credential_scope` shared config, or the `credential_scope` Client configuration option. + 3.189.0 (2023-11-28) ------------------ diff --git a/gems/aws-sdk-core/aws-sdk-core.gemspec b/gems/aws-sdk-core/aws-sdk-core.gemspec index 4de5b13625b..06e7fbedd4d 100644 --- a/gems/aws-sdk-core/aws-sdk-core.gemspec +++ b/gems/aws-sdk-core/aws-sdk-core.gemspec @@ -13,7 +13,7 @@ Gem::Specification.new do |spec| spec.files = Dir['LICENSE.txt', 'CHANGELOG.md', 'VERSION', 'lib/**/*.rb', 'ca-bundle.crt'] spec.add_dependency('jmespath', '~> 1', '>= 1.6.1') # necessary for secure jmespath JSON parsing - spec.add_dependency('aws-partitions', '~> 1', '>= 1.651.0') # necessary for new endpoint resolution + spec.add_dependency('aws-partitions', '~> 1', '>= 1.823.0') # necessary for new endpoint metadata spec.add_dependency('aws-sigv4', '~> 1.8') # necessary for s3 express auth spec.add_dependency('aws-eventstream', '~> 1', '>= 1.3.0') # necessary for binary eventstream diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb b/gems/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb index 7574659c937..54fd315803d 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/credential_provider_chain.rb @@ -45,7 +45,8 @@ def static_credentials(options) Credentials.new( options[:config].access_key_id, options[:config].secret_access_key, - options[:config].session_token + options[:config].session_token, + credential_scope: options[:config].credential_scope ) end end @@ -94,7 +95,13 @@ def env_credentials(_options) key = %w[AWS_ACCESS_KEY_ID AMAZON_ACCESS_KEY_ID AWS_ACCESS_KEY] secret = %w[AWS_SECRET_ACCESS_KEY AMAZON_SECRET_ACCESS_KEY AWS_SECRET_KEY] token = %w[AWS_SESSION_TOKEN AMAZON_SESSION_TOKEN] - Credentials.new(envar(key), envar(secret), envar(token)) + scope = %w[AWS_CREDENTIAL_SCOPE] + Credentials.new( + envar(key), + envar(secret), + envar(token), + credential_scope: envar(scope) + ) end def envar(keys) diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/credentials.rb b/gems/aws-sdk-core/lib/aws-sdk-core/credentials.rb index 964074fe169..fa57584d9ee 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/credentials.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/credentials.rb @@ -6,21 +6,28 @@ class Credentials # @param [String] access_key_id # @param [String] secret_access_key # @param [String] session_token (nil) - def initialize(access_key_id, secret_access_key, session_token = nil) + # @param [Hash] kwargs + # @option kwargs [String] :credential_scope (nil) + def initialize(access_key_id, secret_access_key, session_token = nil, + **kwargs) @access_key_id = access_key_id @secret_access_key = secret_access_key @session_token = session_token + @credential_scope = kwargs[:credential_scope] end - # @return [String, nil] + # @return [String] attr_reader :access_key_id - # @return [String, nil] + # @return [String] attr_reader :secret_access_key # @return [String, nil] attr_reader :session_token + # @return [String, nil] + attr_reader :credential_scope + # @return [Credentials] def credentials self @@ -30,9 +37,9 @@ def credentials # access key are both set. def set? !access_key_id.nil? && - !access_key_id.empty? && - !secret_access_key.nil? && - !secret_access_key.empty? + !access_key_id.empty? && + !secret_access_key.nil? && + !secret_access_key.empty? end # Removing the secret access key from the default inspect string. diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb index b532731c300..65bf81457cf 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb @@ -12,6 +12,8 @@ class CredentialsConfiguration < Seahorse::Client::Plugin option(:session_token, doc_type: String, docstring: '') + option(:credential_scope, doc_type: String, docstring: '') + option(:profile, doc_default: 'default', doc_type: String, @@ -57,13 +59,15 @@ class CredentialsConfiguration < Seahorse::Client::Plugin locations will be searched for credentials: * `Aws.config[:credentials]` -* The `:access_key_id`, `:secret_access_key`, and `:session_token` options. -* ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'] +* The `:access_key_id`, `:secret_access_key`, `:session_token`, and + `:credential_scope` options. +* ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'], + ENV['AWS_SESSION_TOKEN'], and ENV['AWS_CREDENTIAL_SCOPE'] * `~/.aws/credentials` * `~/.aws/config` * EC2/ECS IMDS instance profile - When used by default, the timeouts are very aggressive. Construct and pass an instance of - `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to + `Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to enable retries and extended timeouts. Instance profile credential fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED'] to true. diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/process_credentials.rb b/gems/aws-sdk-core/lib/aws-sdk-core/process_credentials.rb index 0a778ef8423..10aae46c4d2 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/process_credentials.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/process_credentials.rb @@ -59,7 +59,8 @@ def _parse_payload_format_v1(creds_json) creds = Credentials.new( creds_json['AccessKeyId'], creds_json['SecretAccessKey'], - creds_json['SessionToken'] + creds_json['SessionToken'], + credential_scope: creds_json['CredentialScope'] ) @expiration = creds_json['Expiration'] ? Time.iso8601(creds_json['Expiration']) : nil diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb b/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb index 6461d567bba..0d2a2b2717a 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/shared_config.rb @@ -413,7 +413,8 @@ def credentials_from_profile(prof_config) creds = Credentials.new( prof_config['aws_access_key_id'], prof_config['aws_secret_access_key'], - prof_config['aws_session_token'] + prof_config['aws_session_token'], + credential_scope: prof_config['aws_credential_scope'] ) creds if creds.set? end diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/shared_credentials.rb b/gems/aws-sdk-core/lib/aws-sdk-core/shared_credentials.rb index 836dd3f6273..9508080f19f 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/shared_credentials.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/shared_credentials.rb @@ -7,13 +7,6 @@ class SharedCredentials include CredentialProvider - # @api private - KEY_MAP = { - 'aws_access_key_id' => 'access_key_id', - 'aws_secret_access_key' => 'secret_access_key', - 'aws_session_token' => 'session_token', - } - # Constructs a new SharedCredentials object. This will load static # (access_key_id, secret_access_key and session_token) AWS access # credentials from an ini file, which supports profiles. The default diff --git a/gems/aws-sdk-core/spec/aws/credential_provider_chain_spec.rb b/gems/aws-sdk-core/spec/aws/credential_provider_chain_spec.rb index 164abe62037..bf5a6a82446 100644 --- a/gems/aws-sdk-core/spec/aws/credential_provider_chain_spec.rb +++ b/gems/aws-sdk-core/spec/aws/credential_provider_chain_spec.rb @@ -6,8 +6,12 @@ module Aws describe CredentialProviderChain do def random_creds - { access_key_id: SecureRandom.hex, - secret_access_key: SecureRandom.hex, session_token: SecureRandom.hex } + { + access_key_id: SecureRandom.hex, + secret_access_key: SecureRandom.hex, + session_token: SecureRandom.hex, + credential_scope: SecureRandom.hex + } end def with_shared_credentials(profile_name = SecureRandom.hex, credentials_file = nil) @@ -19,6 +23,7 @@ def with_shared_credentials(profile_name = SecureRandom.hex, credentials_file = aws_access_key_id = #{creds[:access_key_id]} aws_secret_access_key = #{creds[:secret_access_key]} aws_session_token = #{creds[:session_token]} +aws_credential_scope = #{creds[:credential_scope]} CREDS allow(Dir).to receive(:home).and_return('HOME') allow(File).to receive(:exist?).with(path).and_return(true) @@ -29,9 +34,10 @@ def with_shared_credentials(profile_name = SecureRandom.hex, credentials_file = def with_env_credentials creds = random_creds - env['AWS_ACCESS_KEY_ID'] = creds[:access_key_id] - env['AWS_SECRET_ACCESS_KEY'] = creds[:secret_access_key] - env['AWS_SESSION_TOKEN'] = creds[:session_token] + ENV['AWS_ACCESS_KEY_ID'] = creds[:access_key_id] + ENV['AWS_SECRET_ACCESS_KEY'] = creds[:secret_access_key] + ENV['AWS_SESSION_TOKEN'] = creds[:session_token] + ENV['AWS_CREDENTIAL_SCOPE'] = creds[:credential_scope] creds end @@ -40,6 +46,7 @@ def with_config_credentials allow(config).to receive(:access_key_id).and_return(creds[:access_key_id]) allow(config).to receive(:secret_access_key).and_return(creds[:secret_access_key]) allow(config).to receive(:session_token).and_return(creds[:session_token]) + allow(config).to receive(:credential_scope).and_return(creds[:credential_scope]) creds end @@ -49,15 +56,15 @@ def validate_credentials(expected_creds) expect(creds.access_key_id).to eq(expected_creds[:access_key_id]) expect(creds.secret_access_key).to eq(expected_creds[:secret_access_key]) expect(creds.session_token).to eq(expected_creds[:session_token]) + expect(creds.credential_scope).to eq(expected_creds[:credential_scope]) end - let(:env) { {} } - let(:config) do double('config', access_key_id: nil, secret_access_key: nil, session_token: nil, + credential_scope: nil, profile: nil, region: nil, instance_profile_credentials_timeout: 1, @@ -71,7 +78,6 @@ def validate_credentials(expected_creds) let(:credentials) { chain.resolve } before(:each) do - stub_const('ENV', env) allow(InstanceProfileCredentials).to receive(:new).and_return(mock_instance_creds) end @@ -82,31 +88,32 @@ def validate_credentials(expected_creds) it 'hydrates credentials from ENV with prefix AWS_' do expected_creds = random_creds - env['AWS_ACCESS_KEY_ID'] = expected_creds[:access_key_id] - env['AWS_SECRET_ACCESS_KEY'] = expected_creds[:secret_access_key] - env['AWS_SESSION_TOKEN'] = expected_creds[:session_token] + ENV['AWS_ACCESS_KEY_ID'] = expected_creds[:access_key_id] + ENV['AWS_SECRET_ACCESS_KEY'] = expected_creds[:secret_access_key] + ENV['AWS_SESSION_TOKEN'] = expected_creds[:session_token] + ENV['AWS_CREDENTIAL_SCOPE'] = expected_creds[:credential_scope] validate_credentials(expected_creds) end it 'hydrates credentials from ENV with prefix AMAZON_' do - expected_creds = random_creds - env['AMAZON_ACCESS_KEY_ID'] = expected_creds[:access_key_id] - env['AMAZON_SECRET_ACCESS_KEY'] = expected_creds[:secret_access_key] - env['AMAZON_SESSION_TOKEN'] = expected_creds[:session_token] + expected_creds = random_creds.merge(credential_scope: nil) + ENV['AMAZON_ACCESS_KEY_ID'] = expected_creds[:access_key_id] + ENV['AMAZON_SECRET_ACCESS_KEY'] = expected_creds[:secret_access_key] + ENV['AMAZON_SESSION_TOKEN'] = expected_creds[:session_token] validate_credentials(expected_creds) end it 'hydrates credentials from ENV at AWS_ACCESS_KEY & AWS_SECRET_KEY' do - expected_creds = random_creds.merge(session_token: nil) - env['AWS_ACCESS_KEY'] = expected_creds[:access_key_id] - env['AWS_SECRET_KEY'] = expected_creds[:secret_access_key] + expected_creds = random_creds.merge(session_token: nil, credential_scope: nil) + ENV['AWS_ACCESS_KEY'] = expected_creds[:access_key_id] + ENV['AWS_SECRET_KEY'] = expected_creds[:secret_access_key] validate_credentials(expected_creds) end it 'hydrates credentials from ENV at AWS_ACCESS_KEY_ID & AWS_SECRET_KEY' do - expected_creds = random_creds.merge(session_token: nil) - env['AWS_ACCESS_KEY_ID'] = expected_creds[:access_key_id] - env['AWS_SECRET_KEY'] = expected_creds[:secret_access_key] + expected_creds = random_creds.merge(session_token: nil, credential_scope: nil) + ENV['AWS_ACCESS_KEY_ID'] = expected_creds[:access_key_id] + ENV['AWS_SECRET_KEY'] = expected_creds[:secret_access_key] validate_credentials(expected_creds) end diff --git a/gems/aws-sdk-core/spec/aws/credentials_spec.rb b/gems/aws-sdk-core/spec/aws/credentials_spec.rb index 598c5a122f8..bf5cea7a667 100644 --- a/gems/aws-sdk-core/spec/aws/credentials_spec.rb +++ b/gems/aws-sdk-core/spec/aws/credentials_spec.rb @@ -13,7 +13,7 @@ module Aws expect(Credentials.new('akid', 'secret').secret_access_key).to eq('secret') end - it 'provides access to the session tokey' do + it 'provides access to the session token' do creds = Credentials.new('akid', 'secret', 'token') expect(creds.session_token).to eq('token') end @@ -22,6 +22,21 @@ module Aws expect(Credentials.new('akid', 'secret').session_token).to be(nil) end + it 'takes extra properties after session token' do + expect do + Credentials.new('akid', 'secret', nil, foo: 'bar') + end.to_not raise_error + end + + it 'provides access to the credential scope' do + creds = Credentials.new('akid', 'secret', credential_scope: 'scope') + expect(creds.credential_scope).to eq('scope') + end + + it 'defaults the credential scope to nil' do + expect(Credentials.new('akid', 'secret').credential_scope).to be(nil) + end + describe '#set?' do it 'returns true when the key and secret are both non nil values' do diff --git a/gems/aws-sdk-core/spec/aws/process_credentials_spec.rb b/gems/aws-sdk-core/spec/aws/process_credentials_spec.rb index f7f6b9c44e9..e07144b8638 100644 --- a/gems/aws-sdk-core/spec/aws/process_credentials_spec.rb +++ b/gems/aws-sdk-core/spec/aws/process_credentials_spec.rb @@ -9,43 +9,44 @@ module Aws stub_const('ENV', {}) allow(Dir).to receive(:home).and_raise(ArgumentError) end - + it 'will read credentials from a process' do - creds = ProcessCredentials.new('echo \'{"Version":1,"AccessKeyId":"AK_PROC1","SecretAccessKey":"SECRET_AK_PROC1","SessionToken":"TOKEN_PROC1"}\'').credentials + creds = ProcessCredentials.new('echo \'{"Version":1,"AccessKeyId":"AK_PROC1","SecretAccessKey":"SECRET_AK_PROC1","SessionToken":"TOKEN_PROC1","CredentialScope":"CREDENTIAL_SCOPE_PROC1"}\'').credentials expect(creds.access_key_id).to eq('AK_PROC1') expect(creds.secret_access_key).to eq('SECRET_AK_PROC1') expect(creds.session_token).to eq('TOKEN_PROC1') + expect(creds.credential_scope).to eq('CREDENTIAL_SCOPE_PROC1') end it 'will throw an error when invalid JSON is returned' do expect { - creds = ProcessCredentials.new('echo \'{"Version":3,"AccessKeyId":"","SecretAccessKey":"","SessionToken":""\'').credentials + ProcessCredentials.new('echo \'{"Version":1,"AccessKeyId":"","SecretAccessKey":""\'').credentials }.to raise_error(Errors::InvalidProcessCredentialsPayload) end - it 'will throw an error when the process credentials payload version is invalid' do + it 'will throw an error when the process credentials payload version is invalid' do expect { - creds = ProcessCredentials.new('echo \'{"Version":3,"AccessKeyId":"","SecretAccessKey":"","SessionToken":""}\'').credentials + ProcessCredentials.new('echo \'{"Version":3,"AccessKeyId":"","SecretAccessKey":""}\'').credentials }.to raise_error(Errors::InvalidProcessCredentialsPayload) end - it 'will throw an error when the process credentials payload is malformed' do + it 'will throw an error when the process credentials payload is malformed' do expect { - creds = ProcessCredentials.new('echo \'{"Version":1}\'').credentials + ProcessCredentials.new('echo \'{"Version":1}\'').credentials }.to raise_error(Errors::InvalidProcessCredentialsPayload) end it 'will throw an error and expose the stderr output when the credential process has a nonzero exit status' do expect { - creds = ProcessCredentials.new('>&2 echo "Credential Provider Error"; false').credentials + ProcessCredentials.new('>&2 echo "Credential Provider Error"; false').credentials }.to raise_error(Errors::InvalidProcessCredentialsPayload) .and output("Credential Provider Error\n").to_stderr_from_any_process end it 'will throw an error when the credential process cant be found' do expect { - creds = ProcessCredentials.new('fake_proc').credentials + ProcessCredentials.new('fake_proc').credentials }.to raise_error(Errors::InvalidProcessCredentialsPayload) end end -end +end \ No newline at end of file diff --git a/gems/aws-sdk-core/spec/aws/shared_credentials_spec.rb b/gems/aws-sdk-core/spec/aws/shared_credentials_spec.rb index f05d08eea77..6b9eb754a58 100644 --- a/gems/aws-sdk-core/spec/aws/shared_credentials_spec.rb +++ b/gems/aws-sdk-core/spec/aws/shared_credentials_spec.rb @@ -25,6 +25,7 @@ module Aws expect(creds.access_key_id).to eq('ACCESS_KEY_0') expect(creds.secret_access_key).to eq('SECRET_KEY_0') expect(creds.session_token).to eq('TOKEN_0') + expect(creds.credential_scope).to eq('SCOPE_0') end it 'supports fetching profiles from ENV' do diff --git a/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config b/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config index 0fd7c332e63..67fdf11ecfe 100644 --- a/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config +++ b/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_config @@ -6,6 +6,7 @@ region = us-east-1 aws_access_key_id = ACCESS_KEY_SHARED aws_secret_access_key = SECRET_KEY_SHARED aws_session_token = TOKEN_SHARED +aws_credential_scope = SCOPE_SHARED [profile assumerole_prof] role_arn = arn:aws:iam:123456789012:role/foo diff --git a/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_credentials b/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_credentials index b164395aa9d..a8f84a6f54e 100644 --- a/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_credentials +++ b/gems/aws-sdk-core/spec/fixtures/credentials/mock_shared_credentials @@ -2,6 +2,7 @@ aws_access_key_id = ACCESS_KEY_0 aws_secret_access_key = SECRET_KEY_0 aws_session_token = TOKEN_0 +aws_credential_scope = SCOPE_0 [fooprofile] aws_access_key_id = ACCESS_KEY_1