chore(deps): update module github.com/aws/aws-sdk-go to v1.55.5 #2

Merged
kekskurse merged 1 commit from renovate/github.com-aws-aws-sdk-go-1.x into main 2024-09-14 01:23:02 +00:00
22 changed files with 13038 additions and 2628 deletions

2
go.mod
View file

@ -3,7 +3,7 @@ module idun
go 1.21 go 1.21
require ( require (
github.com/aws/aws-sdk-go v1.45.25 github.com/aws/aws-sdk-go v1.55.5
github.com/pkg/sftp v1.13.6 github.com/pkg/sftp v1.13.6
github.com/rs/zerolog v1.31.0 github.com/rs/zerolog v1.31.0
github.com/stretchr/testify v1.8.4 github.com/stretchr/testify v1.8.4

2
go.sum
View file

@ -1,5 +1,7 @@
github.com/aws/aws-sdk-go v1.45.25 h1:c4fLlh5sLdK2DCRTY1z0hyuJZU4ygxX8m1FswL6/nF4= github.com/aws/aws-sdk-go v1.45.25 h1:c4fLlh5sLdK2DCRTY1z0hyuJZU4ygxX8m1FswL6/nF4=
github.com/aws/aws-sdk-go v1.45.25/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go v1.45.25/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w= github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=

View file

@ -442,6 +442,17 @@ func (c *Config) WithUseDualStack(enable bool) *Config {
return c return c
} }
// WithUseFIPSEndpoint sets a config UseFIPSEndpoint value returning a Config
// pointer for chaining.
func (c *Config) WithUseFIPSEndpoint(enable bool) *Config {
if enable {
c.UseFIPSEndpoint = endpoints.FIPSEndpointStateEnabled
} else {
c.UseFIPSEndpoint = endpoints.FIPSEndpointStateDisabled
}
return c
}
// WithEC2MetadataDisableTimeoutOverride sets a config EC2MetadataDisableTimeoutOverride value // WithEC2MetadataDisableTimeoutOverride sets a config EC2MetadataDisableTimeoutOverride value
// returning a Config pointer for chaining. // returning a Config pointer for chaining.
func (c *Config) WithEC2MetadataDisableTimeoutOverride(enable bool) *Config { func (c *Config) WithEC2MetadataDisableTimeoutOverride(enable bool) *Config {

View file

@ -31,6 +31,8 @@ package endpointcreds
import ( import (
"encoding/json" "encoding/json"
"fmt"
"strings"
"time" "time"
"github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws"
@ -69,7 +71,37 @@ type Provider struct {
// Optional authorization token value if set will be used as the value of // Optional authorization token value if set will be used as the value of
// the Authorization header of the endpoint credential request. // the Authorization header of the endpoint credential request.
//
// When constructed from environment, the provider will use the value of
// AWS_CONTAINER_AUTHORIZATION_TOKEN environment variable as the token
//
// Will be overridden if AuthorizationTokenProvider is configured
AuthorizationToken string AuthorizationToken string
// Optional auth provider func to dynamically load the auth token from a file
// everytime a credential is retrieved
//
// When constructed from environment, the provider will read and use the content
// of the file pointed to by AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE environment variable
// as the auth token everytime credentials are retrieved
//
// Will override AuthorizationToken if configured
AuthorizationTokenProvider AuthTokenProvider
}
// AuthTokenProvider defines an interface to dynamically load a value to be passed
// for the Authorization header of a credentials request.
type AuthTokenProvider interface {
GetToken() (string, error)
}
// TokenProviderFunc is a func type implementing AuthTokenProvider interface
// and enables customizing token provider behavior
type TokenProviderFunc func() (string, error)
// GetToken func retrieves auth token according to TokenProviderFunc implementation
func (p TokenProviderFunc) GetToken() (string, error) {
return p()
} }
// NewProviderClient returns a credentials Provider for retrieving AWS credentials // NewProviderClient returns a credentials Provider for retrieving AWS credentials
@ -164,7 +196,20 @@ func (p *Provider) getCredentials(ctx aws.Context) (*getCredentialsOutput, error
req := p.Client.NewRequest(op, nil, out) req := p.Client.NewRequest(op, nil, out)
req.SetContext(ctx) req.SetContext(ctx)
req.HTTPRequest.Header.Set("Accept", "application/json") req.HTTPRequest.Header.Set("Accept", "application/json")
if authToken := p.AuthorizationToken; len(authToken) != 0 {
authToken := p.AuthorizationToken
var err error
if p.AuthorizationTokenProvider != nil {
authToken, err = p.AuthorizationTokenProvider.GetToken()
if err != nil {
return nil, fmt.Errorf("get authorization token: %v", err)
}
}
if strings.ContainsAny(authToken, "\r\n") {
return nil, fmt.Errorf("authorization token contains invalid newline sequence")
}
if len(authToken) != 0 {
req.HTTPRequest.Header.Set("Authorization", authToken) req.HTTPRequest.Header.Set("Authorization", authToken)
} }

View file

@ -9,6 +9,7 @@ package defaults
import ( import (
"fmt" "fmt"
"io/ioutil"
"net" "net"
"net/http" "net/http"
"net/url" "net/url"
@ -115,9 +116,31 @@ func CredProviders(cfg *aws.Config, handlers request.Handlers) []credentials.Pro
const ( const (
httpProviderAuthorizationEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN" httpProviderAuthorizationEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN"
httpProviderAuthFileEnvVar = "AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE"
httpProviderEnvVar = "AWS_CONTAINER_CREDENTIALS_FULL_URI" httpProviderEnvVar = "AWS_CONTAINER_CREDENTIALS_FULL_URI"
) )
// direct representation of the IPv4 address for the ECS container
// "169.254.170.2"
var ecsContainerIPv4 net.IP = []byte{
169, 254, 170, 2,
}
// direct representation of the IPv4 address for the EKS container
// "169.254.170.23"
var eksContainerIPv4 net.IP = []byte{
169, 254, 170, 23,
}
// direct representation of the IPv6 address for the EKS container
// "fd00:ec2::23"
var eksContainerIPv6 net.IP = []byte{
0xFD, 0, 0xE, 0xC2,
0, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0x23,
}
// RemoteCredProvider returns a credentials provider for the default remote // RemoteCredProvider returns a credentials provider for the default remote
// endpoints such as EC2 or ECS Roles. // endpoints such as EC2 or ECS Roles.
func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.Provider { func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.Provider {
@ -135,19 +158,22 @@ func RemoteCredProvider(cfg aws.Config, handlers request.Handlers) credentials.P
var lookupHostFn = net.LookupHost var lookupHostFn = net.LookupHost
func isLoopbackHost(host string) (bool, error) { // isAllowedHost allows host to be loopback or known ECS/EKS container IPs
ip := net.ParseIP(host) //
if ip != nil { // host can either be an IP address OR an unresolved hostname - resolution will
return ip.IsLoopback(), nil // be automatically performed in the latter case
func isAllowedHost(host string) (bool, error) {
if ip := net.ParseIP(host); ip != nil {
return isIPAllowed(ip), nil
} }
// Host is not an ip, perform lookup
addrs, err := lookupHostFn(host) addrs, err := lookupHostFn(host)
if err != nil { if err != nil {
return false, err return false, err
} }
for _, addr := range addrs { for _, addr := range addrs {
if !net.ParseIP(addr).IsLoopback() { if ip := net.ParseIP(addr); ip == nil || !isIPAllowed(ip) {
return false, nil return false, nil
} }
} }
@ -155,6 +181,13 @@ func isLoopbackHost(host string) (bool, error) {
return true, nil return true, nil
} }
func isIPAllowed(ip net.IP) bool {
return ip.IsLoopback() ||
ip.Equal(ecsContainerIPv4) ||
ip.Equal(eksContainerIPv4) ||
ip.Equal(eksContainerIPv6)
}
func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string) credentials.Provider { func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string) credentials.Provider {
var errMsg string var errMsg string
@ -165,10 +198,12 @@ func localHTTPCredProvider(cfg aws.Config, handlers request.Handlers, u string)
host := aws.URLHostname(parsed) host := aws.URLHostname(parsed)
if len(host) == 0 { if len(host) == 0 {
errMsg = "unable to parse host from local HTTP cred provider URL" errMsg = "unable to parse host from local HTTP cred provider URL"
} else if isLoopback, loopbackErr := isLoopbackHost(host); loopbackErr != nil { } else if parsed.Scheme == "http" {
errMsg = fmt.Sprintf("failed to resolve host %q, %v", host, loopbackErr) if isAllowedHost, allowHostErr := isAllowedHost(host); allowHostErr != nil {
} else if !isLoopback { errMsg = fmt.Sprintf("failed to resolve host %q, %v", host, allowHostErr)
errMsg = fmt.Sprintf("invalid endpoint host, %q, only loopback hosts are allowed.", host) } else if !isAllowedHost {
errMsg = fmt.Sprintf("invalid endpoint host, %q, only loopback/ecs/eks hosts are allowed.", host)
}
} }
} }
@ -190,6 +225,15 @@ func httpCredProvider(cfg aws.Config, handlers request.Handlers, u string) crede
func(p *endpointcreds.Provider) { func(p *endpointcreds.Provider) {
p.ExpiryWindow = 5 * time.Minute p.ExpiryWindow = 5 * time.Minute
p.AuthorizationToken = os.Getenv(httpProviderAuthorizationEnvVar) p.AuthorizationToken = os.Getenv(httpProviderAuthorizationEnvVar)
if authFilePath := os.Getenv(httpProviderAuthFileEnvVar); authFilePath != "" {
p.AuthorizationTokenProvider = endpointcreds.TokenProviderFunc(func() (string, error) {
if contents, err := ioutil.ReadFile(authFilePath); err != nil {
return "", fmt.Errorf("failed to read authorization token from %v: %v", authFilePath, err)
} else {
return string(contents), nil
}
})
}
}, },
) )
} }

View file

@ -2,6 +2,7 @@ package ec2metadata
import ( import (
"fmt" "fmt"
"github.com/aws/aws-sdk-go/aws"
"net/http" "net/http"
"sync/atomic" "sync/atomic"
"time" "time"
@ -65,7 +66,9 @@ func (t *tokenProvider) fetchTokenHandler(r *request.Request) {
switch requestFailureError.StatusCode() { switch requestFailureError.StatusCode() {
case http.StatusForbidden, http.StatusNotFound, http.StatusMethodNotAllowed: case http.StatusForbidden, http.StatusNotFound, http.StatusMethodNotAllowed:
atomic.StoreUint32(&t.disabled, 1) atomic.StoreUint32(&t.disabled, 1)
t.client.Config.Logger.Log(fmt.Sprintf("WARN: failed to get session token, falling back to IMDSv1: %v", requestFailureError)) if t.client.Config.LogLevel.Matches(aws.LogDebugWithDeprecated) {
t.client.Config.Logger.Log(fmt.Sprintf("WARN: failed to get session token, falling back to IMDSv1: %v", requestFailureError))
}
case http.StatusBadRequest: case http.StatusBadRequest:
r.Error = requestFailureError r.Error = requestFailureError
} }

File diff suppressed because it is too large Load diff

View file

@ -256,8 +256,17 @@ func (a *WaiterAcceptor) match(name string, l aws.Logger, req *Request, err erro
s := a.Expected.(int) s := a.Expected.(int)
result = s == req.HTTPResponse.StatusCode result = s == req.HTTPResponse.StatusCode
case ErrorWaiterMatch: case ErrorWaiterMatch:
if aerr, ok := err.(awserr.Error); ok { switch ex := a.Expected.(type) {
result = aerr.Code() == a.Expected.(string) case string:
if aerr, ok := err.(awserr.Error); ok {
result = aerr.Code() == ex
}
case bool:
if ex {
result = err != nil
} else {
result = err == nil
}
} }
default: default:
waiterLogf(l, "WARNING: Waiter %s encountered unexpected matcher: %s", waiterLogf(l, "WARNING: Waiter %s encountered unexpected matcher: %s",

View file

@ -171,6 +171,12 @@ type envConfig struct {
// AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE=IPv6 // AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE=IPv6
EC2IMDSEndpointMode endpoints.EC2IMDSEndpointModeState EC2IMDSEndpointMode endpoints.EC2IMDSEndpointModeState
// Specifies that IMDS clients should not fallback to IMDSv1 if token
// requests fail.
//
// AWS_EC2_METADATA_V1_DISABLED=true
EC2IMDSv1Disabled *bool
// Specifies that SDK clients must resolve a dual-stack endpoint for // Specifies that SDK clients must resolve a dual-stack endpoint for
// services. // services.
// //
@ -251,6 +257,9 @@ var (
ec2IMDSEndpointModeEnvKey = []string{ ec2IMDSEndpointModeEnvKey = []string{
"AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE", "AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE",
} }
ec2MetadataV1DisabledEnvKey = []string{
"AWS_EC2_METADATA_V1_DISABLED",
}
useCABundleKey = []string{ useCABundleKey = []string{
"AWS_CA_BUNDLE", "AWS_CA_BUNDLE",
} }
@ -393,6 +402,7 @@ func envConfigLoad(enableSharedConfig bool) (envConfig, error) {
if err := setEC2IMDSEndpointMode(&cfg.EC2IMDSEndpointMode, ec2IMDSEndpointModeEnvKey); err != nil { if err := setEC2IMDSEndpointMode(&cfg.EC2IMDSEndpointMode, ec2IMDSEndpointModeEnvKey); err != nil {
return envConfig{}, err return envConfig{}, err
} }
setBoolPtrFromEnvVal(&cfg.EC2IMDSv1Disabled, ec2MetadataV1DisabledEnvKey)
if err := setUseDualStackEndpointFromEnvVal(&cfg.UseDualStackEndpoint, awsUseDualStackEndpoint); err != nil { if err := setUseDualStackEndpointFromEnvVal(&cfg.UseDualStackEndpoint, awsUseDualStackEndpoint); err != nil {
return cfg, err return cfg, err
@ -414,6 +424,24 @@ func setFromEnvVal(dst *string, keys []string) {
} }
} }
func setBoolPtrFromEnvVal(dst **bool, keys []string) {
for _, k := range keys {
value := os.Getenv(k)
if len(value) == 0 {
continue
}
switch {
case strings.EqualFold(value, "false"):
*dst = new(bool)
**dst = false
case strings.EqualFold(value, "true"):
*dst = new(bool)
**dst = true
}
}
}
func setEC2IMDSEndpointMode(mode *endpoints.EC2IMDSEndpointModeState, keys []string) error { func setEC2IMDSEndpointMode(mode *endpoints.EC2IMDSEndpointModeState, keys []string) error {
for _, k := range keys { for _, k := range keys {
value := os.Getenv(k) value := os.Getenv(k)

View file

@ -779,6 +779,14 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint, endpointMode) cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint, endpointMode)
} }
cfg.EC2MetadataEnableFallback = userCfg.EC2MetadataEnableFallback
if cfg.EC2MetadataEnableFallback == nil && envCfg.EC2IMDSv1Disabled != nil {
cfg.EC2MetadataEnableFallback = aws.Bool(!*envCfg.EC2IMDSv1Disabled)
}
if cfg.EC2MetadataEnableFallback == nil && sharedCfg.EC2IMDSv1Disabled != nil {
cfg.EC2MetadataEnableFallback = aws.Bool(!*sharedCfg.EC2IMDSv1Disabled)
}
cfg.S3UseARNRegion = userCfg.S3UseARNRegion cfg.S3UseARNRegion = userCfg.S3UseARNRegion
if cfg.S3UseARNRegion == nil { if cfg.S3UseARNRegion == nil {
cfg.S3UseARNRegion = &envCfg.S3UseARNRegion cfg.S3UseARNRegion = &envCfg.S3UseARNRegion

View file

@ -80,6 +80,9 @@ const (
// EC2 IMDS Endpoint // EC2 IMDS Endpoint
ec2MetadataServiceEndpointKey = "ec2_metadata_service_endpoint" ec2MetadataServiceEndpointKey = "ec2_metadata_service_endpoint"
// ECS IMDSv1 disable fallback
ec2MetadataV1DisabledKey = "ec2_metadata_v1_disabled"
// Use DualStack Endpoint Resolution // Use DualStack Endpoint Resolution
useDualStackEndpoint = "use_dualstack_endpoint" useDualStackEndpoint = "use_dualstack_endpoint"
@ -179,6 +182,12 @@ type sharedConfig struct {
// ec2_metadata_service_endpoint=http://fd00:ec2::254 // ec2_metadata_service_endpoint=http://fd00:ec2::254
EC2IMDSEndpoint string EC2IMDSEndpoint string
// Specifies that IMDS clients should not fallback to IMDSv1 if token
// requests fail.
//
// ec2_metadata_v1_disabled=true
EC2IMDSv1Disabled *bool
// Specifies that SDK clients must resolve a dual-stack endpoint for // Specifies that SDK clients must resolve a dual-stack endpoint for
// services. // services.
// //
@ -434,6 +443,7 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e
ec2MetadataServiceEndpointModeKey, file.Filename, err) ec2MetadataServiceEndpointModeKey, file.Filename, err)
} }
updateString(&cfg.EC2IMDSEndpoint, section, ec2MetadataServiceEndpointKey) updateString(&cfg.EC2IMDSEndpoint, section, ec2MetadataServiceEndpointKey)
updateBoolPtr(&cfg.EC2IMDSv1Disabled, section, ec2MetadataV1DisabledKey)
updateUseDualStackEndpoint(&cfg.UseDualStackEndpoint, section, useDualStackEndpoint) updateUseDualStackEndpoint(&cfg.UseDualStackEndpoint, section, useDualStackEndpoint)

View file

@ -125,6 +125,7 @@ var requiredSignedHeaders = rules{
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key": struct{}{},
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5": struct{}{},
"X-Amz-Expected-Bucket-Owner": struct{}{},
"X-Amz-Grant-Full-control": struct{}{}, "X-Amz-Grant-Full-control": struct{}{},
"X-Amz-Grant-Read": struct{}{}, "X-Amz-Grant-Read": struct{}{},
"X-Amz-Grant-Read-Acp": struct{}{}, "X-Amz-Grant-Read-Acp": struct{}{},

View file

@ -5,4 +5,4 @@ package aws
const SDKName = "aws-sdk-go" const SDKName = "aws-sdk-go"
// SDKVersion is the version of this SDK // SDKVersion is the version of this SDK
const SDKVersion = "1.45.25" const SDKVersion = "1.55.5"

View file

@ -122,8 +122,8 @@ func (q *queryParser) parseStruct(v url.Values, value reflect.Value, prefix stri
} }
func (q *queryParser) parseList(v url.Values, value reflect.Value, prefix string, tag reflect.StructTag) error { func (q *queryParser) parseList(v url.Values, value reflect.Value, prefix string, tag reflect.StructTag) error {
// If it's empty, generate an empty value // If it's empty, and not ec2, generate an empty value
if !value.IsNil() && value.Len() == 0 { if !value.IsNil() && value.Len() == 0 && !q.isEC2 {
v.Set(prefix, "") v.Set(prefix, "")
return nil return nil
} }

File diff suppressed because it is too large Load diff

View file

@ -25,6 +25,15 @@ const (
// "InvalidObjectState". // "InvalidObjectState".
// //
// Object is archived and inaccessible until restored. // Object is archived and inaccessible until restored.
//
// If the object you are retrieving is stored in the S3 Glacier Flexible Retrieval
// storage class, the S3 Glacier Deep Archive storage class, the S3 Intelligent-Tiering
// Archive Access tier, or the S3 Intelligent-Tiering Deep Archive Access tier,
// before you can retrieve the object you must first restore a copy using RestoreObject
// (https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html).
// Otherwise, this operation returns an InvalidObjectState error. For information
// about restoring archived objects, see Restoring Archived Objects (https://docs.aws.amazon.com/AmazonS3/latest/dev/restoring-objects.html)
// in the Amazon S3 User Guide.
ErrCodeInvalidObjectState = "InvalidObjectState" ErrCodeInvalidObjectState = "InvalidObjectState"
// ErrCodeNoSuchBucket for service response error code // ErrCodeNoSuchBucket for service response error code

File diff suppressed because it is too large Load diff

View file

@ -3,15 +3,13 @@
// Package ssooidc provides the client and types for making API // Package ssooidc provides the client and types for making API
// requests to AWS SSO OIDC. // requests to AWS SSO OIDC.
// //
// AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect // IAM Identity Center OpenID Connect (OIDC) is a web service that enables a
// (OIDC) is a web service that enables a client (such as AWS CLI or a native // client (such as CLI or a native application) to register with IAM Identity
// application) to register with IAM Identity Center. The service also enables // Center. The service also enables the client to fetch the users access
// the client to fetch the users access token upon successful authentication // token upon successful authentication and authorization with IAM Identity
// and authorization with IAM Identity Center. // Center.
// //
// Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces // IAM Identity Center uses the sso and identitystore API namespaces.
// will continue to retain their original name for backward compatibility purposes.
// For more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed).
// //
// # Considerations for Using This Guide // # Considerations for Using This Guide
// //
@ -22,21 +20,24 @@
// - The IAM Identity Center OIDC service currently implements only the portions // - The IAM Identity Center OIDC service currently implements only the portions
// of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628 // of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628
// (https://tools.ietf.org/html/rfc8628)) that are necessary to enable single // (https://tools.ietf.org/html/rfc8628)) that are necessary to enable single
// sign-on authentication with the AWS CLI. Support for other OIDC flows // sign-on authentication with the CLI.
// frequently needed for native applications, such as Authorization Code
// Flow (+ PKCE), will be addressed in future releases.
// //
// - The service emits only OIDC access tokens, such that obtaining a new // - With older versions of the CLI, the service only emits OIDC access tokens,
// token (For example, token refresh) requires explicit user re-authentication. // so to obtain a new token, users must explicitly re-authenticate. To access
// the OIDC flow that supports token refresh and doesnt require re-authentication,
// update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI
// V2) with support for OIDC token refresh and configurable IAM Identity
// Center session durations. For more information, see Configure Amazon Web
// Services access portal session duration (https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html).
// //
// - The access tokens provided by this service grant access to all AWS account // - The access tokens provided by this service grant access to all Amazon
// entitlements assigned to an IAM Identity Center user, not just a particular // Web Services account entitlements assigned to an IAM Identity Center user,
// application. // not just a particular application.
// //
// - The documentation in this guide does not describe the mechanism to convert // - The documentation in this guide does not describe the mechanism to convert
// the access token into AWS Auth (“sigv4”) credentials for use with // the access token into Amazon Web Services Auth (“sigv4”) credentials
// IAM-protected AWS service endpoints. For more information, see GetRoleCredentials // for use with IAM-protected Amazon Web Services service endpoints. For
// (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) // more information, see GetRoleCredentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
// in the IAM Identity Center Portal API Reference Guide. // in the IAM Identity Center Portal API Reference Guide.
// //
// For general information about IAM Identity Center, see What is IAM Identity // For general information about IAM Identity Center, see What is IAM Identity

View file

@ -57,6 +57,13 @@ const (
// makes a CreateToken request with an invalid grant type. // makes a CreateToken request with an invalid grant type.
ErrCodeInvalidGrantException = "InvalidGrantException" ErrCodeInvalidGrantException = "InvalidGrantException"
// ErrCodeInvalidRedirectUriException for service response error code
// "InvalidRedirectUriException".
//
// Indicates that one or more redirect URI in the request is not supported for
// this operation.
ErrCodeInvalidRedirectUriException = "InvalidRedirectUriException"
// ErrCodeInvalidRequestException for service response error code // ErrCodeInvalidRequestException for service response error code
// "InvalidRequestException". // "InvalidRequestException".
// //
@ -64,6 +71,13 @@ const (
// a required parameter might be missing or out of range. // a required parameter might be missing or out of range.
ErrCodeInvalidRequestException = "InvalidRequestException" ErrCodeInvalidRequestException = "InvalidRequestException"
// ErrCodeInvalidRequestRegionException for service response error code
// "InvalidRequestRegionException".
//
// Indicates that a token provided as input to the request was issued by and
// is only usable by calling IAM Identity Center endpoints in another region.
ErrCodeInvalidRequestRegionException = "InvalidRequestRegionException"
// ErrCodeInvalidScopeException for service response error code // ErrCodeInvalidScopeException for service response error code
// "InvalidScopeException". // "InvalidScopeException".
// //
@ -99,7 +113,9 @@ var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
"InvalidClientException": newErrorInvalidClientException, "InvalidClientException": newErrorInvalidClientException,
"InvalidClientMetadataException": newErrorInvalidClientMetadataException, "InvalidClientMetadataException": newErrorInvalidClientMetadataException,
"InvalidGrantException": newErrorInvalidGrantException, "InvalidGrantException": newErrorInvalidGrantException,
"InvalidRedirectUriException": newErrorInvalidRedirectUriException,
"InvalidRequestException": newErrorInvalidRequestException, "InvalidRequestException": newErrorInvalidRequestException,
"InvalidRequestRegionException": newErrorInvalidRequestRegionException,
"InvalidScopeException": newErrorInvalidScopeException, "InvalidScopeException": newErrorInvalidScopeException,
"SlowDownException": newErrorSlowDownException, "SlowDownException": newErrorSlowDownException,
"UnauthorizedClientException": newErrorUnauthorizedClientException, "UnauthorizedClientException": newErrorUnauthorizedClientException,

View file

@ -51,7 +51,7 @@ const (
func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSOOIDC { func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSOOIDC {
c := p.ClientConfig(EndpointsID, cfgs...) c := p.ClientConfig(EndpointsID, cfgs...)
if c.SigningNameDerived || len(c.SigningName) == 0 { if c.SigningNameDerived || len(c.SigningName) == 0 {
c.SigningName = "awsssooidc" c.SigningName = "sso-oauth"
} }
return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName, c.ResolvedRegion) return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName, c.ResolvedRegion)
} }

View file

@ -1460,7 +1460,15 @@ type AssumeRoleInput struct {
// in the IAM User Guide. // in the IAM User Guide.
PolicyArns []*PolicyDescriptorType `type:"list"` PolicyArns []*PolicyDescriptorType `type:"list"`
// Reserved for future use. // A list of previously acquired trusted context assertions in the format of
// a JSON array. The trusted context assertion is signed and encrypted by Amazon
// Web Services STS.
//
// The following is an example of a ProvidedContext value that includes a single
// trusted context assertion and the ARN of the context provider from which
// the trusted context assertion was generated.
//
// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
ProvidedContexts []*ProvidedContext `type:"list"` ProvidedContexts []*ProvidedContext `type:"list"`
// The Amazon Resource Name (ARN) of the role to assume. // The Amazon Resource Name (ARN) of the role to assume.
@ -3405,14 +3413,18 @@ func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType {
return s return s
} }
// Reserved for future use. // Contains information about the provided context. This includes the signed
// and encrypted trusted context assertion and the context provider ARN from
// which the trusted context assertion was generated.
type ProvidedContext struct { type ProvidedContext struct {
_ struct{} `type:"structure"` _ struct{} `type:"structure"`
// Reserved for future use. // The signed and encrypted trusted context assertion generated by the context
// provider. The trusted context assertion is signed and encrypted by Amazon
// Web Services STS.
ContextAssertion *string `min:"4" type:"string"` ContextAssertion *string `min:"4" type:"string"`
// Reserved for future use. // The context provider ARN from which the trusted context assertion was generated.
ProviderArn *string `min:"20" type:"string"` ProviderArn *string `min:"20" type:"string"`
} }

4
vendor/modules.txt vendored
View file

@ -1,5 +1,5 @@
# github.com/aws/aws-sdk-go v1.45.25 # github.com/aws/aws-sdk-go v1.55.5
## explicit; go 1.11 ## explicit; go 1.19
github.com/aws/aws-sdk-go/aws github.com/aws/aws-sdk-go/aws
github.com/aws/aws-sdk-go/aws/arn github.com/aws/aws-sdk-go/aws/arn
github.com/aws/aws-sdk-go/aws/auth/bearer github.com/aws/aws-sdk-go/aws/auth/bearer