diff --git a/build_tools/services.rb b/build_tools/services.rb index ccdc9470da7..ed6a541c482 100644 --- a/build_tools/services.rb +++ b/build_tools/services.rb @@ -9,10 +9,10 @@ class ServiceEnumerator MANIFEST_PATH = File.expand_path('../../services.json', __FILE__) # Minimum `aws-sdk-core` version for new gem builds - MINIMUM_CORE_VERSION = "3.225.0" + MINIMUM_CORE_VERSION = "3.227.0" # Minimum `aws-sdk-core` version for new S3 gem builds - MINIMUM_CORE_VERSION_S3 = "3.225.0" + MINIMUM_CORE_VERSION_S3 = "3.227.0" EVENTSTREAM_PLUGIN = "Aws::Plugins::EventStreamConfiguration" diff --git a/gems/aws-sdk-bedrock/CHANGELOG.md b/gems/aws-sdk-bedrock/CHANGELOG.md index afd6e09d328..ab48d1711ff 100644 --- a/gems/aws-sdk-bedrock/CHANGELOG.md +++ b/gems/aws-sdk-bedrock/CHANGELOG.md @@ -1,6 +1,8 @@ Unreleased Changes ------------------ +* Feature - Support `ENV['AWS_BEARER_TOKEN_BEDROCK']` for authentication with Amazon Bedrock APIs. + 1.54.0 (2025-07-16) ------------------ diff --git a/gems/aws-sdk-bedrock/lib/aws-sdk-bedrock/plugins/bearer_authorization.rb b/gems/aws-sdk-bedrock/lib/aws-sdk-bedrock/plugins/bearer_authorization.rb new file mode 100644 index 00000000000..f8bb6f85292 --- /dev/null +++ b/gems/aws-sdk-bedrock/lib/aws-sdk-bedrock/plugins/bearer_authorization.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +module Aws::Bedrock + module Plugins + # @api private + class BearerAuthorization < Seahorse::Client::Plugin + def after_initialize(client) + return unless (token = ENV['AWS_BEARER_TOKEN_BEDROCK']) + + token_provider = Aws::StaticTokenProvider.new(token) + token_provider.metrics = ['BEARER_SERVICE_ENV_VARS'] + client.config.token_provider ||= token_provider + end + + class Handler < Seahorse::Client::Handler + def call(context) + # This also sets the preferred auth scheme even if the code token has precedence. + context[:auth_scheme] = { 'name' => 'bearer' } if ENV['AWS_BEARER_TOKEN_BEDROCK'] + @handler.call(context) + end + end + + # After endpoint/auth but before builders. + handle(Handler, priority: 60) + end + end +end diff --git a/gems/aws-sdk-bedrock/spec/client_spec.rb b/gems/aws-sdk-bedrock/spec/client_spec.rb new file mode 100644 index 00000000000..5fb4f165124 --- /dev/null +++ b/gems/aws-sdk-bedrock/spec/client_spec.rb @@ -0,0 +1,67 @@ +# frozen_string_literal: true + +require_relative 'spec_helper' + +module Aws + module Bedrock + describe Client do + def metrics_from_user_agent_header(resp) + header = resp.context.http_request.headers['User-Agent'] + header.match(%r{ m/([A-Za-z0-9+-,]+)})[1].split(',') + end + + it 'uses a bearer token from the environment' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + client = Client.new(stub_responses: true, token_provider: nil) + expect(client.config.token_provider.token.token).to eq('bedrock-token') + resp = client.list_imported_models + expect(resp.context.http_request.headers['Authorization']).to eq('Bearer bedrock-token') + end + + it 'does not use a token for a different service' do + ENV['AWS_BEARER_TOKEN_FOO'] = 'foo-token' + client = Client.new(stub_responses: true, token_provider: nil) + expect(client.config.token_provider).to be_nil + resp = client.list_imported_models + expect(resp.context.http_request.headers['Authorization']).to_not eq('Bearer foo-token') + end + + it 'still prefers bearer token when given an auth scheme preference' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + ENV['AWS_AUTH_SCHEME_PREFERENCE'] = 'sigv4,httpBearerAuth' + client = Client.new(stub_responses: true, token_provider: nil) + resp = client.list_imported_models + expect(resp.context.http_request.headers['Authorization']).to eq('Bearer bedrock-token') + end + + it 'uses the token value from code over the environment token' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + client = Client.new( + stub_responses: true, + token_provider: Aws::StaticTokenProvider.new('explicit-code-token') + ) + resp = client.list_imported_models + expect(resp.context.http_request.headers['Authorization']).to eq('Bearer explicit-code-token') + end + + it 'sets a user agent metric' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + client = Client.new(stub_responses: true, token_provider: nil) + resp = client.list_imported_models + metrics = metrics_from_user_agent_header(resp) + expect(metrics).to include('3') + end + + it 'does not set a user agent metric when using a token from code' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + client = Client.new( + stub_responses: true, + token_provider: Aws::StaticTokenProvider.new('explicit-code-token') + ) + resp = client.list_imported_models + metrics = metrics_from_user_agent_header(resp) + expect(metrics).to_not include('3') + end + end + end +end diff --git a/gems/aws-sdk-bedrockruntime/CHANGELOG.md b/gems/aws-sdk-bedrockruntime/CHANGELOG.md index cddb8eaf3cb..ba7bdd33216 100644 --- a/gems/aws-sdk-bedrockruntime/CHANGELOG.md +++ b/gems/aws-sdk-bedrockruntime/CHANGELOG.md @@ -1,6 +1,8 @@ Unreleased Changes ------------------ +* Feature - Support `ENV['AWS_BEARER_TOKEN_BEDROCK']` for authentication with Amazon Bedrock APIs. + 1.51.0 (2025-07-16) ------------------ diff --git a/gems/aws-sdk-bedrockruntime/lib/aws-sdk-bedrockruntime/plugins/bearer_authorization.rb b/gems/aws-sdk-bedrockruntime/lib/aws-sdk-bedrockruntime/plugins/bearer_authorization.rb new file mode 100644 index 00000000000..028d3017780 --- /dev/null +++ b/gems/aws-sdk-bedrockruntime/lib/aws-sdk-bedrockruntime/plugins/bearer_authorization.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +module Aws::BedrockRuntime + module Plugins + # @api private + class BearerAuthorization < Seahorse::Client::Plugin + def after_initialize(client) + return unless (token = ENV['AWS_BEARER_TOKEN_BEDROCK']) + + token_provider = Aws::StaticTokenProvider.new(token) + token_provider.metrics = ['BEARER_SERVICE_ENV_VARS'] + client.config.token_provider ||= token_provider + end + + class Handler < Seahorse::Client::Handler + def call(context) + # This also sets the preferred auth scheme even if the code token has precedence. + context[:auth_scheme] = { 'name' => 'bearer' } if ENV['AWS_BEARER_TOKEN_BEDROCK'] + @handler.call(context) + end + end + + # After endpoint/auth but before builders. + handle(Handler, priority: 60) + end + end +end diff --git a/gems/aws-sdk-bedrockruntime/spec/client_spec.rb b/gems/aws-sdk-bedrockruntime/spec/client_spec.rb new file mode 100644 index 00000000000..53f17bfaf9d --- /dev/null +++ b/gems/aws-sdk-bedrockruntime/spec/client_spec.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +require_relative 'spec_helper' + +module Aws + module BedrockRuntime + describe Client do + def metrics_from_user_agent_header(resp) + header = resp.context.http_request.headers['User-Agent'] + header.match(%r{ m/([A-Za-z0-9+-,]+)})[1].split(',') + end + + def invoke_model(client) + stub = client.stub_data(:invoke_model, body: 'test') + client.stub_responses(:invoke_model, stub) + client.invoke_model(model_id: 'test') + end + + it 'uses a bearer token from the environment' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + client = Client.new(stub_responses: true, token_provider: nil) + expect(client.config.token_provider.token.token).to eq('bedrock-token') + resp = invoke_model(client) + expect(resp.context.http_request.headers['Authorization']).to eq('Bearer bedrock-token') + end + + it 'does not use a token for a different service' do + ENV['AWS_BEARER_TOKEN_FOO'] = 'foo-token' + client = Client.new(stub_responses: true, token_provider: nil) + expect(client.config.token_provider).to be_nil + resp = invoke_model(client) + expect(resp.context.http_request.headers['Authorization']).to_not eq('Bearer foo-token') + end + + it 'still prefers bearer token when given an auth scheme preference' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + ENV['AWS_AUTH_SCHEME_PREFERENCE'] = 'sigv4,httpBearerAuth' + client = Client.new(stub_responses: true, token_provider: nil) + resp = invoke_model(client) + expect(resp.context.http_request.headers['Authorization']).to eq('Bearer bedrock-token') + end + + it 'uses explicit config over the environment token' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + client = Client.new( + stub_responses: true, + token_provider: Aws::StaticTokenProvider.new('explicit-code-token') + ) + resp = invoke_model(client) + expect(resp.context.http_request.headers['Authorization']).to eq('Bearer explicit-code-token') + end + + it 'sets a user agent metric' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + client = Client.new(stub_responses: true, token_provider: nil) + resp = invoke_model(client) + metrics = metrics_from_user_agent_header(resp) + expect(metrics).to include('3') + end + + it 'does not set a user agent metric when using a token from code' do + ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token' + client = Client.new( + stub_responses: true, + token_provider: Aws::StaticTokenProvider.new('explicit-code-token') + ) + resp = invoke_model(client) + metrics = metrics_from_user_agent_header(resp) + expect(metrics).to_not include('3') + end + end + end +end diff --git a/gems/aws-sdk-core/CHANGELOG.md b/gems/aws-sdk-core/CHANGELOG.md index f4711dda195..9b46fdf58a1 100644 --- a/gems/aws-sdk-core/CHANGELOG.md +++ b/gems/aws-sdk-core/CHANGELOG.md @@ -1,6 +1,8 @@ Unreleased Changes ------------------ +* Feature - Support metric tracking for Bedrock Bearer tokens. + 3.226.3 (2025-07-17) ------------------ diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb index 39904a631ab..efe9422663b 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb @@ -99,13 +99,8 @@ class CredentialsConfiguration < Seahorse::Client::Plugin will be used to search for tokens configured for your profile in shared configuration files. DOCS ) do |config| - if config.stub_responses - StaticTokenProvider.new('token') - else - TokenProviderChain.new(config).resolve - end + TokenProviderChain.new(config).resolve end - end end end diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/sign.rb b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/sign.rb index eba2235498f..f2803ee05db 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/sign.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/sign.rb @@ -13,8 +13,7 @@ class Sign < Seahorse::Client::Plugin option(:sigv4_region) option(:unsigned_operations, default: []) - supported_auth_types = %w[sigv4 bearer sigv4-s3express sigv4a none] - SUPPORTED_AUTH_TYPES = supported_auth_types.freeze + SUPPORTED_AUTH_TYPES = %w[sigv4 bearer sigv4-s3express sigv4a none].freeze def add_handlers(handlers, cfg) operations = cfg.api.operation_names - cfg.unsigned_operations @@ -32,7 +31,7 @@ def self.signer_for(auth_scheme, config, sigv4_region_override = nil, sigv4_cred } SignatureV4.new(auth_scheme, config, sigv4_overrides) when 'bearer' - Bearer.new + Bearer.new(config) else NullSigner.new end @@ -41,7 +40,6 @@ def self.signer_for(auth_scheme, config, sigv4_region_override = nil, sigv4_cred class Handler < Seahorse::Client::Handler def call(context) # Skip signing if using sigv2 signing from s3_signer in S3 - credentials = nil unless v2_signing?(context.config) signer = Sign.signer_for( context[:auth_scheme], @@ -49,18 +47,22 @@ def call(context) context[:sigv4_region], context[:sigv4_credentials] ) - credentials = signer.credentials if signer.is_a?(SignatureV4) signer.sign(context) end - with_metrics(credentials) { @handler.call(context) } + with_metrics(signer) { @handler.call(context) } end private - def with_metrics(credentials, &block) - return block.call unless credentials&.respond_to?(:metrics) - - Aws::Plugins::UserAgent.metric(*credentials.metrics, &block) + def with_metrics(signer, &block) + case signer + when SignatureV4 + Aws::Plugins::UserAgent.metric(*signer.credentials.metrics, &block) + when Bearer + Aws::Plugins::UserAgent.metric(*signer.token_provider.metrics, &block) + else + block.call + end end def v2_signing?(config) @@ -72,21 +74,19 @@ def v2_signing?(config) # @api private class Bearer - def initialize + def initialize(config) + @token_provider = config.token_provider end + attr_reader :token_provider + def sign(context) if context.http_request.endpoint.scheme != 'https' - raise ArgumentError, - 'Unable to use bearer authorization on non https endpoint.' + raise ArgumentError, 'Unable to use bearer authorization on non https endpoint.' end + raise Errors::MissingBearerTokenError unless @token_provider && @token_provider.set? - token_provider = context.config.token_provider - - raise Errors::MissingBearerTokenError unless token_provider&.set? - - context.http_request.headers['Authorization'] = - "Bearer #{token_provider.token.token}" + context.http_request.headers['Authorization'] = "Bearer #{@token_provider.token.token}" end def presign_url(*args) @@ -100,16 +100,11 @@ def sign_event(*args) # @api private class SignatureV4 - attr_reader :signer - def initialize(auth_scheme, config, sigv4_overrides = {}) scheme_name = auth_scheme['name'] - unless %w[sigv4 sigv4a sigv4-s3express].include?(scheme_name) - raise ArgumentError, - "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}" + raise ArgumentError, "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}" end - region = if scheme_name == 'sigv4a' auth_scheme['signingRegionSet'].join(',') else @@ -121,8 +116,8 @@ def initialize(auth_scheme, config, sigv4_overrides = {}) region: sigv4_overrides[:region] || config.sigv4_region || region, credentials_provider: sigv4_overrides[:credentials] || config.credentials, signing_algorithm: scheme_name.to_sym, - uri_escape_path: !!!auth_scheme['disableDoubleEncoding'], - normalize_path: !!!auth_scheme['disableNormalizePath'], + uri_escape_path: !auth_scheme['disableDoubleEncoding'], + normalize_path: !auth_scheme['disableNormalizePath'], unsigned_headers: %w[content-length user-agent x-amzn-trace-id expect transfer-encoding connection] ) rescue Aws::Sigv4::Errors::MissingCredentialsError @@ -130,6 +125,8 @@ def initialize(auth_scheme, config, sigv4_overrides = {}) end end + attr_reader :signer + def sign(context) req = context.http_request diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/stub_responses.rb b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/stub_responses.rb index e2e17ef2e1a..ada65dfd60c 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/stub_responses.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/stub_responses.rb @@ -29,6 +29,12 @@ class StubResponses < Seahorse::Client::Plugin end end + option(:token_provider) do |config| + if config.stub_responses + StaticTokenProvider.new('stubbed-token') + end + end + option(:stubs) { {} } option(:stubs_mutex) { Mutex.new } option(:api_requests) { [] } diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/user_agent.rb b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/user_agent.rb index 5c1c3faada4..da93fcc6d5d 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/plugins/user_agent.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/plugins/user_agent.rb @@ -54,7 +54,8 @@ class UserAgent < Seahorse::Client::Plugin "CREDENTIALS_HTTP" : "z", "CREDENTIALS_IMDS" : "0", "SSO_LOGIN_DEVICE" : "1", - "SSO_LOGIN_AUTH" : "2" + "SSO_LOGIN_AUTH" : "2", + "BEARER_SERVICE_ENV_VARS": "3" } METRICS diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/static_token_provider.rb b/gems/aws-sdk-core/lib/aws-sdk-core/static_token_provider.rb index 7786d1ac08e..07c6909f94d 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/static_token_provider.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/static_token_provider.rb @@ -2,12 +2,11 @@ module Aws class StaticTokenProvider - include TokenProvider # @param [String] token # @param [Time] expiration - def initialize(token, expiration=nil) + def initialize(token, expiration = nil) @token = Token.new(token, expiration) end end diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/token.rb b/gems/aws-sdk-core/lib/aws-sdk-core/token.rb index 5126005d604..f27618c3df2 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/token.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/token.rb @@ -3,9 +3,9 @@ module Aws class Token - # @param [String] token - # @param [Time] expiration - def initialize(token, expiration=nil) + # @param [String, nil] token + # @param [Time, nil] expiration + def initialize(token, expiration = nil) @token = token @expiration = expiration end diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/token_provider.rb b/gems/aws-sdk-core/lib/aws-sdk-core/token_provider.rb index 643012f9d0c..8b69b78bb2d 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/token_provider.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/token_provider.rb @@ -6,6 +6,10 @@ module TokenProvider # @return [Token] attr_reader :token + # @api private + # Returns UserAgent metrics for tokens. + attr_accessor :metrics + # @return [Boolean] def set? !!token && token.set? diff --git a/gems/aws-sdk-core/lib/aws-sdk-core/token_provider_chain.rb b/gems/aws-sdk-core/lib/aws-sdk-core/token_provider_chain.rb index dfebea13a5b..194ca1e81d9 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-core/token_provider_chain.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-core/token_provider_chain.rb @@ -27,17 +27,13 @@ def providers def static_profile_sso_token(options) if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile - Aws.shared_config.sso_token_from_config( - profile: options[:config].profile - ) + Aws.shared_config.sso_token_from_config(profile: options[:config].profile) end end - def sso_token(options) - profile_name = determine_profile_name(options) if Aws.shared_config.config_enabled? - Aws.shared_config.sso_token_from_config(profile: profile_name) + Aws.shared_config.sso_token_from_config(profile: determine_profile_name(options)) end rescue Errors::NoSuchProfileError nil diff --git a/gems/aws-sdk-core/lib/aws-sdk-sts/presigner.rb b/gems/aws-sdk-core/lib/aws-sdk-sts/presigner.rb index 7bc66c18c2e..b87050621ac 100644 --- a/gems/aws-sdk-core/lib/aws-sdk-sts/presigner.rb +++ b/gems/aws-sdk-core/lib/aws-sdk-sts/presigner.rb @@ -53,13 +53,9 @@ def get_caller_identity_presigned_url(options = {}) use_fips: context.config.use_fips_endpoint, use_global_endpoint: context.config.sts_regional_endpoints == 'legacy' ) - endpoint = context.config.endpoint_provider - .resolve_endpoint(endpoint_params) + endpoint = context.config.endpoint_provider.resolve_endpoint(endpoint_params) auth_scheme = Aws::Endpoints.resolve_auth_scheme(context, endpoint) - - signer = Aws::Plugins::Sign.signer_for( - auth_scheme, context.config - ) + signer = Aws::Plugins::Sign.signer_for(auth_scheme, context.config) signer.presign_url( http_method: 'GET', diff --git a/gems/aws-sdk-core/spec/auth_helper.rb b/gems/aws-sdk-core/spec/auth_helper.rb new file mode 100644 index 00000000000..d14c3453cd3 --- /dev/null +++ b/gems/aws-sdk-core/spec/auth_helper.rb @@ -0,0 +1,27 @@ +module AuthHelper + # Expect the signer to be called with the given auth scheme. + def expect_auth(expected_auth_scheme, region: nil, credentials: nil) + expect(Aws::Plugins::Sign).to receive(:signer_for).and_wrap_original do |m, *args| + actual_auth_scheme = args[0] + _config = args[1] + _sigv4_region_override = args[2] + _sigv4_credentials_override = args[3] + + expect(actual_auth_scheme).to include(expected_auth_scheme) + signer = m.call(*args) + case signer + when Aws::Plugins::Sign::SignatureV4 + sigv4_signer = signer.signer + case expected_auth_scheme['name'] + when 'sigv4' + region = region || expected_auth_scheme['signingRegion'] + when 'sigv4a' + region = region || expected_auth_scheme['signingRegionSet']&.join(',') + end + expect(sigv4_signer.region).to eq(region) if region + expect(sigv4_signer.credentials_provider).to eq(credentials) if credentials + end + signer + end + end +end diff --git a/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb b/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb index e141482d286..60404c67e6f 100644 --- a/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb +++ b/gems/aws-sdk-core/spec/aws/credential_resolution_chain_spec.rb @@ -1172,7 +1172,6 @@ def stub_token_file(token) def metrics_from_user_agent_header(resp) header = resp.context.http_request.headers['User-Agent'] - # Parse list of metrics from User-Agent header header.match(%r{ m/([A-Za-z0-9+-,]+)})[1].split(',') end diff --git a/gems/aws-sdk-core/spec/aws/endpoints_spec.rb b/gems/aws-sdk-core/spec/aws/endpoints_spec.rb index 78e84edebe9..ca84ff72f67 100644 --- a/gems/aws-sdk-core/spec/aws/endpoints_spec.rb +++ b/gems/aws-sdk-core/spec/aws/endpoints_spec.rb @@ -114,13 +114,6 @@ module Aws end context 'sigv4a defaults' do - before do - stub_const( - 'Aws::Endpoints::SUPPORTED_AUTH_TRAITS', - Aws::Endpoints::SUPPORTED_AUTH_TRAITS + ['aws.auth#sigv4a'] - ) - end - let(:auth) { ['aws.auth#sigv4a'] } it 'signs with sigv4' do @@ -211,7 +204,7 @@ module Aws ) end - let(:auth) { ['aws.auth#sigv4a', 'aws.auth#sigv4'] } + let(:auth) { %w[aws.auth#sigv4a aws.auth#sigv4] } it 'prefers the first supported auth trait' do expect_auth({ 'name' => 'sigv4' }) diff --git a/gems/aws-sdk-core/spec/aws/plugins/sign_spec.rb b/gems/aws-sdk-core/spec/aws/plugins/sign_spec.rb index 2c456b67e5d..9ea6d294496 100644 --- a/gems/aws-sdk-core/spec/aws/plugins/sign_spec.rb +++ b/gems/aws-sdk-core/spec/aws/plugins/sign_spec.rb @@ -53,10 +53,10 @@ module Plugins class Handler < Seahorse::Client::Handler def call(context) context[:sigv4_region] = 'override-region' - context[:sigv4_credentials] = Aws::Sigv4::StaticCredentialsProvider.new( - access_key_id: 'override-akid', - secret_access_key: 'override-secret', - session_token: 'override-token' + context[:sigv4_credentials] = Aws::Credentials.new( + 'override-akid', + 'override-secret', + 'override-token' ) @handler.call(context) end diff --git a/gems/aws-sdk-core/spec/shared_spec_helper.rb b/gems/aws-sdk-core/spec/shared_spec_helper.rb index 3271650be0d..57e722ec24a 100644 --- a/gems/aws-sdk-core/spec/shared_spec_helper.rb +++ b/gems/aws-sdk-core/spec/shared_spec_helper.rb @@ -8,7 +8,7 @@ require 'webmock/rspec' -require_relative './sigv4_helper' +require_relative './auth_helper' # Prevent the SDK unit tests from loading actual credentials while under test. # By default the SDK attempts to load credentials from: @@ -19,7 +19,7 @@ # RSpec.configure do |config| # Module to help check service signing - config.include Sigv4Helper + config.include AuthHelper config.before(:each) do # Clear the current ENV to avoid loading credentials. diff --git a/gems/aws-sdk-core/spec/sigv4_helper.rb b/gems/aws-sdk-core/spec/sigv4_helper.rb deleted file mode 100644 index c909eae3bc0..00000000000 --- a/gems/aws-sdk-core/spec/sigv4_helper.rb +++ /dev/null @@ -1,29 +0,0 @@ -module Sigv4Helper - # perhaps belongs in an AuthHelper but we mainly check Sigv4 these days - def expect_auth(auth_scheme, region: nil, credentials: nil) - if auth_scheme['name'] == 'sigv4a' - stub_const( - 'Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES', - Aws::Plugins::Sign::SUPPORTED_AUTH_TYPES + ['sigv4a'] - ) - end - expect(Aws::Plugins::Sign).to receive(:signer_for).and_wrap_original do |m, *args| - expect(args.first).to include(auth_scheme) - expect(args[2]).to eq(region) if region - expect(args[3]).to eq(credentials) if credentials - - if auth_scheme['name'] == 'sigv4a' - mock_signature = Aws::Sigv4::Signature.new(headers: {}) - signer = double('sigv4a_signer', sign_request: mock_signature) - region = region || args.first['signingRegionSet'].join(',') - - expect(Aws::Sigv4::Signer).to receive(:new) - .with(hash_including(signing_algorithm: :sigv4a, region: region)) - .and_return(signer) - expect(signer).to receive(:credentials_provider).and_return(credentials) - end - - m.call(*args) - end - end -end diff --git a/services.json b/services.json index 53060a4df04..9d8e40ec632 100644 --- a/services.json +++ b/services.json @@ -127,7 +127,10 @@ "models": "batch/2016-08-10" }, "Bedrock": { - "models": "bedrock/2023-04-20" + "models": "bedrock/2023-04-20", + "addPlugins": [ + "Aws::Bedrock::Plugins::BearerAuthorization" + ] }, "BedrockAgent": { "models": "bedrock-agent/2023-06-05" @@ -148,7 +151,10 @@ "models": "bedrock-data-automation-runtime/2024-06-13" }, "BedrockRuntime": { - "models": "bedrock-runtime/2023-09-30" + "models": "bedrock-runtime/2023-09-30", + "addPlugins": [ + "Aws::BedrockRuntime::Plugins::BearerAuthorization" + ] }, "Billing": { "models": "billing/2023-09-07"