particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

deps: update osbuild/images to 246b718310ea

Browse source 
Current main.
246b718310
This commit is contained in:
Achilleas Koutsou 2023-07-19 17:22:28 +02:00 committed by Ondřej Budai
parent 326f0cfa2f
commit 5c292c61c6
1437 changed files with 208886 additions and 87131 deletions
Download patch file Download diff file Expand all files Collapse all files

50
vendor/github.com/aws/aws-sdk-go/aws/auth/bearer/token.go generated vendored Normal file
View file

@ -0,0 +1,50 @@
package bearer
import (
"github.com/aws/aws-sdk-go/aws"
"time"
)
// Token provides a type wrapping a bearer token and expiration metadata.
type Token struct {
Value string
CanExpire bool
Expires time.Time
}
// Expired returns if the token's Expires time is before or equal to the time
// provided. If CanExpire is false, Expired will always return false.
func (t Token) Expired(now time.Time) bool {
if !t.CanExpire {
return false
}
now = now.Round(0)
return now.Equal(t.Expires) || now.After(t.Expires)
}
// TokenProvider provides interface for retrieving bearer tokens.
type TokenProvider interface {
RetrieveBearerToken(aws.Context) (Token, error)
}
// TokenProviderFunc provides a helper utility to wrap a function as a type
// that implements the TokenProvider interface.
type TokenProviderFunc func(aws.Context) (Token, error)
// RetrieveBearerToken calls the wrapped function, returning the Token or
// error.
func (fn TokenProviderFunc) RetrieveBearerToken(ctx aws.Context) (Token, error) {
return fn(ctx)
}
// StaticTokenProvider provides a utility for wrapping a static bearer token
// value within an implementation of a token provider.
type StaticTokenProvider struct {
Token Token
}
// RetrieveBearerToken returns the static token specified.
func (s StaticTokenProvider) RetrieveBearerToken(aws.Context) (Token, error) {
return s.Token, nil
}

75
vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/provider.go generated vendored
View file

@ -4,13 +4,13 @@ import (
"crypto/sha1"
"encoding/hex"
"encoding/json"
"fmt"
"io/ioutil"
"path/filepath"
"strings"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/auth/bearer"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/client"
"github.com/aws/aws-sdk-go/aws/credentials"
@ -55,6 +55,19 @@ type Provider struct {
// The URL that points to the organization's AWS Single Sign-On (AWS SSO) user portal.
StartURL string
// The filepath the cached token will be retrieved from. If unset Provider will
// use the startURL to determine the filepath at.
//
// ~/.aws/sso/cache/<sha1-hex-encoded-startURL>.json
//
// If custom cached token filepath is used, the Provider's startUrl
// parameter will be ignored.
CachedTokenFilepath string
// Used by the SSOCredentialProvider if a token configuration
// profile is used in the shared config
TokenProvider bearer.TokenProvider
}
// NewCredentials returns a new AWS Single Sign-On (AWS SSO) credential provider. The ConfigProvider is expected to be configured
@ -89,13 +102,31 @@ func (p *Provider) Retrieve() (credentials.Value, error) {
// RetrieveWithContext retrieves temporary AWS credentials from the configured Amazon Single Sign-On (AWS SSO) user portal
// by exchanging the accessToken present in ~/.aws/sso/cache.
func (p *Provider) RetrieveWithContext(ctx credentials.Context) (credentials.Value, error) {
tokenFile, err := loadTokenFile(p.StartURL)
if err != nil {
return credentials.Value{}, err
var accessToken *string
if p.TokenProvider != nil {
token, err := p.TokenProvider.RetrieveBearerToken(ctx)
if err != nil {
return credentials.Value{}, err
}
accessToken = &token.Value
} else {
if p.CachedTokenFilepath == "" {
cachedTokenFilePath, err := getCachedFilePath(p.StartURL)
if err != nil {
return credentials.Value{}, err
}
p.CachedTokenFilepath = cachedTokenFilePath
}
tokenFile, err := loadTokenFile(p.CachedTokenFilepath)
if err != nil {
return credentials.Value{}, err
}
accessToken = &tokenFile.AccessToken
}
output, err := p.Client.GetRoleCredentialsWithContext(ctx, &sso.GetRoleCredentialsInput{
AccessToken: &tokenFile.AccessToken,
AccessToken: accessToken,
AccountId: &p.AccountID,
RoleName: &p.RoleName,
})
@ -114,32 +145,13 @@ func (p *Provider) RetrieveWithContext(ctx credentials.Context) (credentials.Val
}, nil
}
func getCacheFileName(url string) (string, error) {
func getCachedFilePath(startUrl string) (string, error) {
hash := sha1.New()
_, err := hash.Write([]byte(url))
_, err := hash.Write([]byte(startUrl))
if err != nil {
return "", err
}
return strings.ToLower(hex.EncodeToString(hash.Sum(nil))) + ".json", nil
}
type rfc3339 time.Time
func (r *rfc3339) UnmarshalJSON(bytes []byte) error {
var value string
if err := json.Unmarshal(bytes, &value); err != nil {
return err
}
parse, err := time.Parse(time.RFC3339, value)
if err != nil {
return fmt.Errorf("expected RFC3339 timestamp: %v", err)
}
*r = rfc3339(parse)
return nil
return filepath.Join(defaultCacheLocation(), strings.ToLower(hex.EncodeToString(hash.Sum(nil)))+".json"), nil
}
type token struct {
@ -153,13 +165,8 @@ func (t token) Expired() bool {
return nowTime().Round(0).After(time.Time(t.ExpiresAt))
}
func loadTokenFile(startURL string) (t token, err error) {
key, err := getCacheFileName(startURL)
if err != nil {
return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err)
}
fileBytes, err := ioutil.ReadFile(filepath.Join(defaultCacheLocation(), key))
func loadTokenFile(cachedTokenPath string) (t token, err error) {
fileBytes, err := ioutil.ReadFile(cachedTokenPath)
if err != nil {
return token{}, awserr.New(ErrCodeSSOProviderInvalidToken, invalidTokenMessage, err)
}

237
vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/sso_cached_token.go generated vendored Normal file
View file

@ -0,0 +1,237 @@
package ssocreds
import (
"crypto/sha1"
"encoding/hex"
"encoding/json"
"fmt"
"github.com/aws/aws-sdk-go/internal/shareddefaults"
"io/ioutil"
"os"
"path/filepath"
"strconv"
"strings"
"time"
)
var resolvedOsUserHomeDir = shareddefaults.UserHomeDir
// StandardCachedTokenFilepath returns the filepath for the cached SSO token file, or
// error if unable get derive the path. Key that will be used to compute a SHA1
// value that is hex encoded.
//
// Derives the filepath using the Key as:
//
// ~/.aws/sso/cache/<sha1-hex-encoded-key>.json
func StandardCachedTokenFilepath(key string) (string, error) {
homeDir := resolvedOsUserHomeDir()
if len(homeDir) == 0 {
return "", fmt.Errorf("unable to get USER's home directory for cached token")
}
hash := sha1.New()
if _, err := hash.Write([]byte(key)); err != nil {
return "", fmt.Errorf("unable to compute cached token filepath key SHA1 hash, %v", err)
}
cacheFilename := strings.ToLower(hex.EncodeToString(hash.Sum(nil))) + ".json"
return filepath.Join(homeDir, ".aws", "sso", "cache", cacheFilename), nil
}
type tokenKnownFields struct {
AccessToken string `json:"accessToken,omitempty"`
ExpiresAt *rfc3339 `json:"expiresAt,omitempty"`
RefreshToken string `json:"refreshToken,omitempty"`
ClientID string `json:"clientId,omitempty"`
ClientSecret string `json:"clientSecret,omitempty"`
}
type cachedToken struct {
tokenKnownFields
UnknownFields map[string]interface{} `json:"-"`
}
// MarshalJSON provides custom marshalling because the standard library Go marshaller ignores unknown/unspecified fields
// when marshalling from a struct: https://pkg.go.dev/encoding/json#Marshal
// This function adds some extra validation to the known fields and captures unknown fields.
func (t cachedToken) MarshalJSON() ([]byte, error) {
fields := map[string]interface{}{}
setTokenFieldString(fields, "accessToken", t.AccessToken)
setTokenFieldRFC3339(fields, "expiresAt", t.ExpiresAt)
setTokenFieldString(fields, "refreshToken", t.RefreshToken)
setTokenFieldString(fields, "clientId", t.ClientID)
setTokenFieldString(fields, "clientSecret", t.ClientSecret)
for k, v := range t.UnknownFields {
if _, ok := fields[k]; ok {
return nil, fmt.Errorf("unknown token field %v, duplicates known field", k)
}
fields[k] = v
}
return json.Marshal(fields)
}
func setTokenFieldString(fields map[string]interface{}, key, value string) {
if value == "" {
return
}
fields[key] = value
}
func setTokenFieldRFC3339(fields map[string]interface{}, key string, value *rfc3339) {
if value == nil {
return
}
fields[key] = value
}
// UnmarshalJSON provides custom unmarshalling because the standard library Go unmarshaller ignores unknown/unspecified
// fields when unmarshalling from a struct: https://pkg.go.dev/encoding/json#Unmarshal
// This function adds some extra validation to the known fields and captures unknown fields.
func (t *cachedToken) UnmarshalJSON(b []byte) error {
var fields map[string]interface{}
if err := json.Unmarshal(b, &fields); err != nil {
return nil
}
t.UnknownFields = map[string]interface{}{}
for k, v := range fields {
var err error
switch k {
case "accessToken":
err = getTokenFieldString(v, &t.AccessToken)
case "expiresAt":
err = getTokenFieldRFC3339(v, &t.ExpiresAt)
case "refreshToken":
err = getTokenFieldString(v, &t.RefreshToken)
case "clientId":
err = getTokenFieldString(v, &t.ClientID)
case "clientSecret":
err = getTokenFieldString(v, &t.ClientSecret)
default:
t.UnknownFields[k] = v
}
if err != nil {
return fmt.Errorf("field %q, %v", k, err)
}
}
return nil
}
func getTokenFieldString(v interface{}, value *string) error {
var ok bool
*value, ok = v.(string)
if !ok {
return fmt.Errorf("expect value to be string, got %T", v)
}
return nil
}
func getTokenFieldRFC3339(v interface{}, value **rfc3339) error {
var stringValue string
if err := getTokenFieldString(v, &stringValue); err != nil {
return err
}
timeValue, err := parseRFC3339(stringValue)
if err != nil {
return err
}
*value = &timeValue
return nil
}
func loadCachedToken(filename string) (cachedToken, error) {
fileBytes, err := ioutil.ReadFile(filename)
if err != nil {
return cachedToken{}, fmt.Errorf("failed to read cached SSO token file, %v", err)
}
var t cachedToken
if err := json.Unmarshal(fileBytes, &t); err != nil {
return cachedToken{}, fmt.Errorf("failed to parse cached SSO token file, %v", err)
}
if len(t.AccessToken) == 0 || t.ExpiresAt == nil || time.Time(*t.ExpiresAt).IsZero() {
return cachedToken{}, fmt.Errorf(
"cached SSO token must contain accessToken and expiresAt fields")
}
return t, nil
}
func storeCachedToken(filename string, t cachedToken, fileMode os.FileMode) (err error) {
tmpFilename := filename + ".tmp-" + strconv.FormatInt(nowTime().UnixNano(), 10)
if err := writeCacheFile(tmpFilename, fileMode, t); err != nil {
return err
}
if err := os.Rename(tmpFilename, filename); err != nil {
return fmt.Errorf("failed to replace old cached SSO token file, %v", err)
}
return nil
}
func writeCacheFile(filename string, fileMode os.FileMode, t cachedToken) (err error) {
var f *os.File
f, err = os.OpenFile(filename, os.O_CREATE|os.O_TRUNC|os.O_RDWR, fileMode)
if err != nil {
return fmt.Errorf("failed to create cached SSO token file %v", err)
}
defer func() {
closeErr := f.Close()
if err == nil && closeErr != nil {
err = fmt.Errorf("failed to close cached SSO token file, %v", closeErr)
}
}()
encoder := json.NewEncoder(f)
if err = encoder.Encode(t); err != nil {
return fmt.Errorf("failed to serialize cached SSO token, %v", err)
}
return nil
}
type rfc3339 time.Time
// UnmarshalJSON decode rfc3339 from JSON format
func (r *rfc3339) UnmarshalJSON(bytes []byte) error {
var value string
var err error
if err = json.Unmarshal(bytes, &value); err != nil {
return err
}
*r, err = parseRFC3339(value)
return err
}
func parseRFC3339(v string) (rfc3339, error) {
parsed, err := time.Parse(time.RFC3339, v)
if err != nil {
return rfc3339{}, fmt.Errorf("expected RFC3339 timestamp: %v", err)
}
return rfc3339(parsed), nil
}
// MarshalJSON encode rfc3339 to JSON format time
func (r *rfc3339) MarshalJSON() ([]byte, error) {
value := time.Time(*r).Format(time.RFC3339)
// Use JSON unmarshal to unescape the quoted value making use of JSON's
// quoting rules.
return json.Marshal(value)
}

139
vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/token_provider.go generated vendored Normal file
View file

@ -0,0 +1,139 @@
package ssocreds
import (
"fmt"
"os"
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/auth/bearer"
"github.com/aws/aws-sdk-go/service/ssooidc"
)
// CreateTokenAPIClient provides the interface for the SSOTokenProvider's API
// client for calling CreateToken operation to refresh the SSO token.
type CreateTokenAPIClient interface {
CreateToken(input *ssooidc.CreateTokenInput) (*ssooidc.CreateTokenOutput, error)
}
// SSOTokenProviderOptions provides the options for configuring the
// SSOTokenProvider.
type SSOTokenProviderOptions struct {
// Client that can be overridden
Client CreateTokenAPIClient
// The path the file containing the cached SSO token will be read from.
// Initialized the NewSSOTokenProvider's cachedTokenFilepath parameter.
CachedTokenFilepath string
}
// SSOTokenProvider provides a utility for refreshing SSO AccessTokens for
// Bearer Authentication. The SSOTokenProvider can only be used to refresh
// already cached SSO Tokens. This utility cannot perform the initial SSO
// create token.
//
// The initial SSO create token should be preformed with the AWS CLI before the
// Go application using the SSOTokenProvider will need to retrieve the SSO
// token. If the AWS CLI has not created the token cache file, this provider
// will return an error when attempting to retrieve the cached token.
//
// This provider will attempt to refresh the cached SSO token periodically if
// needed when RetrieveBearerToken is called.
//
// A utility such as the AWS CLI must be used to initially create the SSO
// session and cached token file.
// https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
type SSOTokenProvider struct {
options SSOTokenProviderOptions
}
// NewSSOTokenProvider returns an initialized SSOTokenProvider that will
// periodically refresh the SSO token cached stored in the cachedTokenFilepath.
// The cachedTokenFilepath file's content will be rewritten by the token
// provider when the token is refreshed.
//
// The client must be configured for the AWS region the SSO token was created for.
func NewSSOTokenProvider(client CreateTokenAPIClient, cachedTokenFilepath string, optFns ...func(o *SSOTokenProviderOptions)) *SSOTokenProvider {
options := SSOTokenProviderOptions{
Client: client,
CachedTokenFilepath: cachedTokenFilepath,
}
for _, fn := range optFns {
fn(&options)
}
provider := &SSOTokenProvider{
options: options,
}
return provider
}
// RetrieveBearerToken returns the SSO token stored in the cachedTokenFilepath
// the SSOTokenProvider was created with. If the token has expired
// RetrieveBearerToken will attempt to refresh it. If the token cannot be
// refreshed or is not present an error will be returned.
//
// A utility such as the AWS CLI must be used to initially create the SSO
// session and cached token file. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html
func (p *SSOTokenProvider) RetrieveBearerToken(ctx aws.Context) (bearer.Token, error) {
cachedToken, err := loadCachedToken(p.options.CachedTokenFilepath)
if err != nil {
return bearer.Token{}, err
}
if cachedToken.ExpiresAt != nil && nowTime().After(time.Time(*cachedToken.ExpiresAt)) {
cachedToken, err = p.refreshToken(cachedToken)
if err != nil {
return bearer.Token{}, fmt.Errorf("refresh cached SSO token failed, %v", err)
}
}
expiresAt := toTime((*time.Time)(cachedToken.ExpiresAt))
return bearer.Token{
Value: cachedToken.AccessToken,
CanExpire: !expiresAt.IsZero(),
Expires: expiresAt,
}, nil
}
func (p *SSOTokenProvider) refreshToken(token cachedToken) (cachedToken, error) {
if token.ClientSecret == "" || token.ClientID == "" || token.RefreshToken == "" {
return cachedToken{}, fmt.Errorf("cached SSO token is expired, or not present, and cannot be refreshed")
}
createResult, err := p.options.Client.CreateToken(&ssooidc.CreateTokenInput{
ClientId: &token.ClientID,
ClientSecret: &token.ClientSecret,
RefreshToken: &token.RefreshToken,
GrantType: aws.String("refresh_token"),
})
if err != nil {
return cachedToken{}, fmt.Errorf("unable to refresh SSO token, %v", err)
}
expiresAt := nowTime().Add(time.Duration(*createResult.ExpiresIn) * time.Second)
token.AccessToken = *createResult.AccessToken
token.ExpiresAt = (*rfc3339)(&expiresAt)
token.RefreshToken = *createResult.RefreshToken
fileInfo, err := os.Stat(p.options.CachedTokenFilepath)
if err != nil {
return cachedToken{}, fmt.Errorf("failed to stat cached SSO token file %v", err)
}
if err = storeCachedToken(p.options.CachedTokenFilepath, token, fileInfo.Mode()); err != nil {
return cachedToken{}, fmt.Errorf("unable to cache refreshed SSO token, %v", err)
}
return token, nil
}
func toTime(p *time.Time) (v time.Time) {
if p == nil {
return v
}
return *p
}

12
vendor/github.com/aws/aws-sdk-go/aws/credentials/stscreds/assume_role_provider.go generated vendored
View file

@ -9,7 +9,7 @@ to refresh the credentials will be synchronized. But, the SDK is unable to
ensure synchronous usage of the AssumeRoleProvider if the value is shared
between multiple Credentials, Sessions or service clients.
Assume Role
# Assume Role
To assume an IAM role using STS with the SDK you can create a new Credentials
with the SDKs's stscreds package.
@ -27,7 +27,7 @@ with the SDKs's stscreds package.
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})
Assume Role with static MFA Token
# Assume Role with static MFA Token
To assume an IAM role with a MFA token you can either specify a MFA token code
directly or provide a function to prompt the user each time the credentials
@ -49,7 +49,7 @@ credentials.
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})
Assume Role with MFA Token Provider
# Assume Role with MFA Token Provider
To assume an IAM role with MFA for longer running tasks where the credentials
may need to be refreshed setting the TokenProvider field of AssumeRoleProvider
@ -74,7 +74,6 @@ single Credentials with an AssumeRoleProvider can be shared safely.
// Create service client value configured for credentials
// from assumed role.
svc := s3.New(sess, &aws.Config{Credentials: creds})
*/
package stscreds
@ -199,6 +198,10 @@ type AssumeRoleProvider struct {
// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
SerialNumber *string
// The SourceIdentity which is used to identity a persistent identity through the whole session.
// For more details see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string
// The value provided by the MFA device, if the trust policy of the role being
// assumed requires MFA (that is, if the policy includes a condition that tests
// for MFA). If the role being assumed requires MFA and if the TokenCode value
@ -320,6 +323,7 @@ func (p *AssumeRoleProvider) RetrieveWithContext(ctx credentials.Context) (crede
Tags: p.Tags,
PolicyArns: p.PolicyArns,
TransitiveTagKeys: p.TransitiveTagKeys,
SourceIdentity: p.SourceIdentity,
}
if p.Policy != nil {
input.Policy = p.Policy

2544
vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go generated vendored
View file

File diff suppressed because it is too large Load diff

33
vendor/github.com/aws/aws-sdk-go/aws/session/credentials.go generated vendored
View file

@ -14,6 +14,7 @@ import (
"github.com/aws/aws-sdk-go/aws/defaults"
"github.com/aws/aws-sdk-go/aws/request"
"github.com/aws/aws-sdk-go/internal/shareddefaults"
"github.com/aws/aws-sdk-go/service/ssooidc"
"github.com/aws/aws-sdk-go/service/sts"
)
@ -23,6 +24,10 @@ type CredentialsProviderOptions struct {
// WebIdentityRoleProviderOptions configures a WebIdentityRoleProvider,
// such as setting its ExpiryWindow.
WebIdentityRoleProviderOptions func(*stscreds.WebIdentityRoleProvider)
// ProcessProviderOptions configures a ProcessProvider,
// such as setting its Timeout.
ProcessProviderOptions func(*processcreds.ProcessProvider)
}
func resolveCredentials(cfg *aws.Config,
@ -33,7 +38,7 @@ func resolveCredentials(cfg *aws.Config,
switch {
case len(sessOpts.Profile) != 0:
// User explicitly provided an Profile in the session's configuration
// User explicitly provided a Profile in the session's configuration
// so load that profile from shared config first.
// Github(aws/aws-sdk-go#2727)
return resolveCredsFromProfile(cfg, envCfg, sharedCfg, handlers, sessOpts)
@ -134,7 +139,11 @@ func resolveCredsFromProfile(cfg *aws.Config,
case len(sharedCfg.CredentialProcess) != 0:
// Get credentials from CredentialProcess
creds = processcreds.NewCredentials(sharedCfg.CredentialProcess)
var optFns []func(*processcreds.ProcessProvider)
if sessOpts.CredentialsProviderOptions != nil && sessOpts.CredentialsProviderOptions.ProcessProviderOptions != nil {
optFns = append(optFns, sessOpts.CredentialsProviderOptions.ProcessProviderOptions)
}
creds = processcreds.NewCredentials(sharedCfg.CredentialProcess, optFns...)
default:
// Fallback to default credentials provider, include mock errors for
@ -173,8 +182,25 @@ func resolveSSOCredentials(cfg *aws.Config, sharedCfg sharedConfig, handlers req
return nil, err
}
var optFns []func(provider *ssocreds.Provider)
cfgCopy := cfg.Copy()
cfgCopy.Region = &sharedCfg.SSORegion
if sharedCfg.SSOSession != nil {
cfgCopy.Region = &sharedCfg.SSOSession.SSORegion
cachedPath, err := ssocreds.StandardCachedTokenFilepath(sharedCfg.SSOSession.Name)
if err != nil {
return nil, err
}
mySession := Must(NewSession())
oidcClient := ssooidc.New(mySession, cfgCopy)
tokenProvider := ssocreds.NewSSOTokenProvider(oidcClient, cachedPath)
optFns = append(optFns, func(p *ssocreds.Provider) {
p.TokenProvider = tokenProvider
p.CachedTokenFilepath = cachedPath
})
} else {
cfgCopy.Region = &sharedCfg.SSORegion
}
return ssocreds.NewCredentials(
&Session{
@ -184,6 +210,7 @@ func resolveSSOCredentials(cfg *aws.Config, sharedCfg sharedConfig, handlers req
sharedCfg.SSOAccountID,
sharedCfg.SSORoleName,
sharedCfg.SSOStartURL,
optFns...,
), nil
}

60
vendor/github.com/aws/aws-sdk-go/aws/session/session.go generated vendored
View file

@ -37,7 +37,7 @@ const (
// ErrSharedConfigSourceCollision will be returned if a section contains both
// source_profile and credential_source
var ErrSharedConfigSourceCollision = awserr.New(ErrCodeSharedConfig, "only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso", nil)
var ErrSharedConfigSourceCollision = awserr.New(ErrCodeSharedConfig, "only one credential type may be specified per profile: source profile, credential source, credential process, web identity token", nil)
// ErrSharedConfigECSContainerEnvVarEmpty will be returned if the environment
// variables are empty and Environment was set as the credential source
@ -174,7 +174,6 @@ const (
// Options provides the means to control how a Session is created and what
// configuration values will be loaded.
//
type Options struct {
// Provides config values for the SDK to use when creating service clients
// and making API requests to services. Any value set in with this field
@ -322,24 +321,24 @@ type Options struct {
// credentials file. Enabling the Shared Config will also allow the Session
// to be built with retrieving credentials with AssumeRole set in the config.
//
// // Equivalent to session.New
// sess := session.Must(session.NewSessionWithOptions(session.Options{}))
// // Equivalent to session.New
// sess := session.Must(session.NewSessionWithOptions(session.Options{}))
//
// // Specify profile to load for the session's config
// sess := session.Must(session.NewSessionWithOptions(session.Options{
// Profile: "profile_name",
// }))
// // Specify profile to load for the session's config
// sess := session.Must(session.NewSessionWithOptions(session.Options{
// Profile: "profile_name",
// }))
//
// // Specify profile for config and region for requests
// sess := session.Must(session.NewSessionWithOptions(session.Options{
// Config: aws.Config{Region: aws.String("us-east-1")},
// Profile: "profile_name",
// }))
// // Specify profile for config and region for requests
// sess := session.Must(session.NewSessionWithOptions(session.Options{
// Config: aws.Config{Region: aws.String("us-east-1")},
// Profile: "profile_name",
// }))
//
// // Force enable Shared Config support
// sess := session.Must(session.NewSessionWithOptions(session.Options{
// SharedConfigState: session.SharedConfigEnable,
// }))
// // Force enable Shared Config support
// sess := session.Must(session.NewSessionWithOptions(session.Options{
// SharedConfigState: session.SharedConfigEnable,
// }))
func NewSessionWithOptions(opts Options) (*Session, error) {
var envCfg envConfig
var err error
@ -375,7 +374,7 @@ func NewSessionWithOptions(opts Options) (*Session, error) {
// This helper is intended to be used in variable initialization to load the
// Session and configuration at startup. Such as:
//
// var sess = session.Must(session.NewSession())
// var sess = session.Must(session.NewSession())
func Must(sess *Session, err error) *Session {
if err != nil {
panic(err)
@ -780,16 +779,6 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint, endpointMode)
}
// Configure credentials if not already set by the user when creating the
// Session.
if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts)
if err != nil {
return err
}
cfg.Credentials = creds
}
cfg.S3UseARNRegion = userCfg.S3UseARNRegion
if cfg.S3UseARNRegion == nil {
cfg.S3UseARNRegion = &envCfg.S3UseARNRegion
@ -812,6 +801,17 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config,
}
}
// Configure credentials if not already set by the user when creating the Session.
// Credentials are resolved last such that all _resolved_ config values are propagated to credential providers.
// ticket: P83606045
if cfg.Credentials == credentials.AnonymousCredentials && userCfg.Credentials == nil {
creds, err := resolveCredentials(cfg, envCfg, sharedCfg, handlers, sessOpts)
if err != nil {
return err
}
cfg.Credentials = creds
}
return nil
}
@ -845,8 +845,8 @@ func initHandlers(s *Session) {
// and handlers. If any additional configs are provided they will be merged
// on top of the Session's copied config.
//
// // Create a copy of the current Session, configured for the us-west-2 region.
// sess.Copy(&aws.Config{Region: aws.String("us-west-2")})
// // Create a copy of the current Session, configured for the us-west-2 region.
// sess.Copy(&aws.Config{Region: aws.String("us-west-2")})
func (s *Session) Copy(cfgs ...*aws.Config) *Session {
newSession := &Session{
Config: s.Config.Copy(cfgs...),

168
vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go generated vendored
View file

@ -26,6 +26,13 @@ const (
roleSessionNameKey = `role_session_name` // optional
roleDurationSecondsKey = "duration_seconds" // optional
// Prefix to be used for SSO sections. These are supposed to only exist in
// the shared config file, not the credentials file.
ssoSectionPrefix = `sso-session `
// AWS Single Sign-On (AWS SSO) group
ssoSessionNameKey = "sso_session"
// AWS Single Sign-On (AWS SSO) group
ssoAccountIDKey = "sso_account_id"
ssoRegionKey = "sso_region"
@ -99,6 +106,10 @@ type sharedConfig struct {
CredentialProcess string
WebIdentityTokenFile string
// SSO session options
SSOSessionName string
SSOSession *ssoSession
SSOAccountID string
SSORegion string
SSORoleName string
@ -186,6 +197,20 @@ type sharedConfigFile struct {
IniData ini.Sections
}
// SSOSession provides the shared configuration parameters of the sso-session
// section.
type ssoSession struct {
Name string
SSORegion string
SSOStartURL string
}
func (s *ssoSession) setFromIniSection(section ini.Section) {
updateString(&s.Name, section, ssoSessionNameKey)
updateString(&s.SSORegion, section, ssoRegionKey)
updateString(&s.SSOStartURL, section, ssoStartURL)
}
// loadSharedConfig retrieves the configuration from the list of files using
// the profile provided. The order the files are listed will determine
// precedence. Values in subsequent files will overwrite values defined in
@ -266,13 +291,13 @@ func (cfg *sharedConfig) setFromIniFiles(profiles map[string]struct{}, profile s
// profile only have credential provider options.
cfg.clearAssumeRoleOptions()
} else {
// First time a profile has been seen, It must either be a assume role
// credentials, or SSO. Assert if the credential type requires a role ARN,
// the ARN is also set, or validate that the SSO configuration is complete.
// First time a profile has been seen. Assert if the credential type
// requires a role ARN, the ARN is also set
if err := cfg.validateCredentialsConfig(profile); err != nil {
return err
}
}
profiles[profile] = struct{}{}
if err := cfg.validateCredentialType(); err != nil {
@ -308,6 +333,30 @@ func (cfg *sharedConfig) setFromIniFiles(profiles map[string]struct{}, profile s
cfg.SourceProfile = srcCfg
}
// If the profile contains an SSO session parameter, the session MUST exist
// as a section in the config file. Load the SSO session using the name
// provided. If the session section is not found or incomplete an error
// will be returned.
if cfg.hasSSOTokenProviderConfiguration() {
skippedFiles = 0
for _, f := range files {
section, ok := f.IniData.GetSection(fmt.Sprintf(ssoSectionPrefix + strings.TrimSpace(cfg.SSOSessionName)))
if ok {
var ssoSession ssoSession
ssoSession.setFromIniSection(section)
ssoSession.Name = cfg.SSOSessionName
cfg.SSOSession = &ssoSession
break
}
skippedFiles++
}
if skippedFiles == len(files) {
// If all files were skipped because the sso session section is not found, return
// the sso section not found error.
return fmt.Errorf("failed to find SSO session section, %v", cfg.SSOSessionName)
}
}
return nil
}
@ -363,6 +412,10 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e
cfg.S3UsEast1RegionalEndpoint = sre
}
// AWS Single Sign-On (AWS SSO)
// SSO session options
updateString(&cfg.SSOSessionName, section, ssoSessionNameKey)
// AWS Single Sign-On (AWS SSO)
updateString(&cfg.SSOAccountID, section, ssoAccountIDKey)
updateString(&cfg.SSORegion, section, ssoRegionKey)
@ -461,32 +514,20 @@ func (cfg *sharedConfig) validateCredentialType() error {
}
func (cfg *sharedConfig) validateSSOConfiguration() error {
if !cfg.hasSSOConfiguration() {
if cfg.hasSSOTokenProviderConfiguration() {
err := cfg.validateSSOTokenProviderConfiguration()
if err != nil {
return err
}
return nil
}
var missing []string
if len(cfg.SSOAccountID) == 0 {
missing = append(missing, ssoAccountIDKey)
if cfg.hasLegacySSOConfiguration() {
err := cfg.validateLegacySSOConfiguration()
if err != nil {
return err
}
}
if len(cfg.SSORegion) == 0 {
missing = append(missing, ssoRegionKey)
}
if len(cfg.SSORoleName) == 0 {
missing = append(missing, ssoRoleNameKey)
}
if len(cfg.SSOStartURL) == 0 {
missing = append(missing, ssoStartURL)
}
if len(missing) > 0 {
return fmt.Errorf("profile %q is configured to use SSO but is missing required configuration: %s",
cfg.Profile, strings.Join(missing, ", "))
}
return nil
}
@ -525,15 +566,76 @@ func (cfg *sharedConfig) clearAssumeRoleOptions() {
}
func (cfg *sharedConfig) hasSSOConfiguration() bool {
switch {
case len(cfg.SSOAccountID) != 0:
case len(cfg.SSORegion) != 0:
case len(cfg.SSORoleName) != 0:
case len(cfg.SSOStartURL) != 0:
default:
return false
return cfg.hasSSOTokenProviderConfiguration() || cfg.hasLegacySSOConfiguration()
}
func (c *sharedConfig) hasSSOTokenProviderConfiguration() bool {
return len(c.SSOSessionName) > 0
}
func (c *sharedConfig) hasLegacySSOConfiguration() bool {
return len(c.SSORegion) > 0 || len(c.SSOAccountID) > 0 || len(c.SSOStartURL) > 0 || len(c.SSORoleName) > 0
}
func (c *sharedConfig) validateSSOTokenProviderConfiguration() error {
var missing []string
if len(c.SSOSessionName) == 0 {
missing = append(missing, ssoSessionNameKey)
}
return true
if c.SSOSession == nil {
missing = append(missing, ssoSectionPrefix)
} else {
if len(c.SSOSession.SSORegion) == 0 {
missing = append(missing, ssoRegionKey)
}
if len(c.SSOSession.SSOStartURL) == 0 {
missing = append(missing, ssoStartURL)
}
}
if len(missing) > 0 {
return fmt.Errorf("profile %q is configured to use SSO but is missing required configuration: %s",
c.Profile, strings.Join(missing, ", "))
}
if len(c.SSORegion) > 0 && c.SSORegion != c.SSOSession.SSORegion {
return fmt.Errorf("%s in profile %q must match %s in %s", ssoRegionKey, c.Profile, ssoRegionKey, ssoSectionPrefix)
}
if len(c.SSOStartURL) > 0 && c.SSOStartURL != c.SSOSession.SSOStartURL {
return fmt.Errorf("%s in profile %q must match %s in %s", ssoStartURL, c.Profile, ssoStartURL, ssoSectionPrefix)
}
return nil
}
func (c *sharedConfig) validateLegacySSOConfiguration() error {
var missing []string
if len(c.SSORegion) == 0 {
missing = append(missing, ssoRegionKey)
}
if len(c.SSOStartURL) == 0 {
missing = append(missing, ssoStartURL)
}
if len(c.SSOAccountID) == 0 {
missing = append(missing, ssoAccountIDKey)
}
if len(c.SSORoleName) == 0 {
missing = append(missing, ssoRoleNameKey)
}
if len(missing) > 0 {
return fmt.Errorf("profile %q is configured to use SSO but is missing required configuration: %s",
c.Profile, strings.Join(missing, ", "))
}
return nil
}
func oneOrNone(bs ...bool) bool {

11
vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go generated vendored
View file

@ -3,7 +3,7 @@
// Provides request signing for request that need to be signed with
// AWS V4 Signatures.
//
// Standalone Signer
// # Standalone Signer
//
// Generally using the signer outside of the SDK should not require any additional
// logic when using Go v1.5 or higher. The signer does this by taking advantage
@ -14,10 +14,10 @@
// The signer will first check the URL.Opaque field, and use its value if set.
// The signer does require the URL.Opaque field to be set in the form of:
//
// "//<hostname>/<path>"
// "//<hostname>/<path>"
//
// // e.g.
// "//example.com/some/path"
// // e.g.
// "//example.com/some/path"
//
// The leading "//" and hostname are required or the URL.Opaque escaping will
// not work correctly.
@ -695,7 +695,8 @@ func (ctx *signingCtx) buildBodyDigest() error {
includeSHA256Header := ctx.unsignedPayload ||
ctx.ServiceName == "s3" ||
ctx.ServiceName == "s3-object-lambda" ||
ctx.ServiceName == "glacier"
ctx.ServiceName == "glacier" ||
ctx.ServiceName == "s3-outposts"
s3Presign := ctx.isPresign &&
(ctx.ServiceName == "s3" ||

2
vendor/github.com/aws/aws-sdk-go/aws/version.go generated vendored
View file

@ -5,4 +5,4 @@ package aws
const SDKName = "aws-sdk-go"
// SDKVersion is the version of this SDK
const SDKVersion = "1.44.230"
const SDKVersion = "1.44.304"

4
vendor/github.com/aws/aws-sdk-go/private/protocol/rest/build.go generated vendored
View file

@ -287,6 +287,10 @@ func convertType(v reflect.Value, tag reflect.StructTag) (str string, err error)
if tag.Get("location") != "header" || tag.Get("enum") == "" {
return "", fmt.Errorf("%T is only supported with location header and enum shapes", value)
}
if len(value) == 0 {
return "", errValueNotSet
}
buff := &bytes.Buffer{}
for i, sv := range value {
if sv == nil || len(*sv) == 0 {

139
vendor/github.com/aws/aws-sdk-go/private/protocol/restjson/unmarshal_error.go generated vendored
View file

@ -2,6 +2,7 @@ package restjson
import (
"bytes"
"encoding/json"
"io"
"io/ioutil"
"net/http"
@ -40,54 +41,30 @@ func (u *UnmarshalTypedError) UnmarshalError(
resp *http.Response,
respMeta protocol.ResponseMetadata,
) (error, error) {
code := resp.Header.Get(errorTypeHeader)
msg := resp.Header.Get(errorMessageHeader)
body := resp.Body
if len(code) == 0 || len(msg) == 0 {
// If unable to get code from HTTP headers have to parse JSON message
// to determine what kind of exception this will be.
var buf bytes.Buffer
var jsonErr jsonErrorResponse
teeReader := io.TeeReader(resp.Body, &buf)
err := jsonutil.UnmarshalJSONError(&jsonErr, teeReader)
if err != nil {
return nil, err
}
body = ioutil.NopCloser(&buf)
if len(code) == 0 {
code = jsonErr.Code
}
msg = jsonErr.Message
code, msg, err := unmarshalErrorInfo(resp)
if err != nil {
return nil, err
}
// If code has colon separators remove them so can compare against modeled
// exception names.
code = strings.SplitN(code, ":", 2)[0]
if fn, ok := u.exceptions[code]; ok {
// If exception code is know, use associated constructor to get a value
// for the exception that the JSON body can be unmarshaled into.
v := fn(respMeta)
if err := jsonutil.UnmarshalJSONCaseInsensitive(v, body); err != nil {
return nil, err
}
if err := rest.UnmarshalResponse(resp, v, true); err != nil {
return nil, err
}
return v, nil
fn, ok := u.exceptions[code]
if !ok {
return awserr.NewRequestFailure(
awserr.New(code, msg, nil),
respMeta.StatusCode,
respMeta.RequestID,
), nil
}
// fallback to unmodeled generic exceptions
return awserr.NewRequestFailure(
awserr.New(code, msg, nil),
respMeta.StatusCode,
respMeta.RequestID,
), nil
v := fn(respMeta)
if err := jsonutil.UnmarshalJSONCaseInsensitive(v, resp.Body); err != nil {
return nil, err
}
if err := rest.UnmarshalResponse(resp, v, true); err != nil {
return nil, err
}
return v, nil
}
// UnmarshalErrorHandler is a named request handler for unmarshaling restjson
@ -101,36 +78,80 @@ var UnmarshalErrorHandler = request.NamedHandler{
func UnmarshalError(r *request.Request) {
defer r.HTTPResponse.Body.Close()
var jsonErr jsonErrorResponse
err := jsonutil.UnmarshalJSONError(&jsonErr, r.HTTPResponse.Body)
code, msg, err := unmarshalErrorInfo(r.HTTPResponse)
if err != nil {
r.Error = awserr.NewRequestFailure(
awserr.New(request.ErrCodeSerialization,
"failed to unmarshal response error", err),
awserr.New(request.ErrCodeSerialization, "failed to unmarshal response error", err),
r.HTTPResponse.StatusCode,
r.RequestID,
)
return
}
code := r.HTTPResponse.Header.Get(errorTypeHeader)
if code == "" {
code = jsonErr.Code
}
msg := r.HTTPResponse.Header.Get(errorMessageHeader)
if msg == "" {
msg = jsonErr.Message
}
code = strings.SplitN(code, ":", 2)[0]
r.Error = awserr.NewRequestFailure(
awserr.New(code, jsonErr.Message, nil),
awserr.New(code, msg, nil),
r.HTTPResponse.StatusCode,
r.RequestID,
)
}
type jsonErrorResponse struct {
Type string `json:"__type"`
Code string `json:"code"`
Message string `json:"message"`
}
func (j *jsonErrorResponse) SanitizedCode() string {
code := j.Code
if len(j.Type) > 0 {
code = j.Type
}
return sanitizeCode(code)
}
// Remove superfluous components from a restJson error code.
// - If a : character is present, then take only the contents before the
// first : character in the value.
// - If a # character is present, then take only the contents after the first
// # character in the value.
//
// All of the following error values resolve to FooError:
// - FooError
// - FooError:http://internal.amazon.com/coral/com.amazon.coral.validate/
// - aws.protocoltests.restjson#FooError
// - aws.protocoltests.restjson#FooError:http://internal.amazon.com/coral/com.amazon.coral.validate/
func sanitizeCode(code string) string {
noColon := strings.SplitN(code, ":", 2)[0]
hashSplit := strings.SplitN(noColon, "#", 2)
return hashSplit[len(hashSplit)-1]
}
// attempt to garner error details from the response, preferring header values
// when present
func unmarshalErrorInfo(resp *http.Response) (code string, msg string, err error) {
code = sanitizeCode(resp.Header.Get(errorTypeHeader))
msg = resp.Header.Get(errorMessageHeader)
if len(code) > 0 && len(msg) > 0 {
return
}
// a modeled error will have to be re-deserialized later, so the body must
// be preserved
var buf bytes.Buffer
tee := io.TeeReader(resp.Body, &buf)
defer func() { resp.Body = ioutil.NopCloser(&buf) }()
var jsonErr jsonErrorResponse
if decodeErr := json.NewDecoder(tee).Decode(&jsonErr); decodeErr != nil && decodeErr != io.EOF {
err = awserr.NewUnmarshalError(decodeErr, "failed to decode response body", buf.Bytes())
return
}
if len(code) == 0 {
code = jsonErr.SanitizedCode()
}
if len(msg) == 0 {
msg = jsonErr.Message
}
return
}

377
vendor/github.com/aws/aws-sdk-go/service/autoscaling/api.go generated vendored
View file

@ -155,6 +155,12 @@ func (c *AutoScaling) AttachLoadBalancerTargetGroupsRequest(input *AttachLoadBal
// AttachLoadBalancerTargetGroups API operation for Auto Scaling.
//
// This API operation is superseded by AttachTrafficSources, which can attach
// multiple traffic sources types. We recommend using AttachTrafficSources to
// simplify how you manage traffic sources. However, we continue to support
// AttachLoadBalancerTargetGroups. You can use both the original AttachLoadBalancerTargetGroups
// API operation and AttachTrafficSources on the same Auto Scaling group.
//
// Attaches one or more target groups to the specified Auto Scaling group.
//
// This operation is used with the following load balancer types:
@ -260,8 +266,11 @@ func (c *AutoScaling) AttachLoadBalancersRequest(input *AttachLoadBalancersInput
// AttachLoadBalancers API operation for Auto Scaling.
//
// To attach an Application Load Balancer, Network Load Balancer, or Gateway
// Load Balancer, use the AttachLoadBalancerTargetGroups API operation instead.
// This API operation is superseded by AttachTrafficSources, which can attach
// multiple traffic sources types. We recommend using AttachTrafficSources to
// simplify how you manage traffic sources. However, we continue to support
// AttachLoadBalancers. You can use both the original AttachLoadBalancers API
// operation and AttachTrafficSources on the same Auto Scaling group.
//
// Attaches one or more Classic Load Balancers to the specified Auto Scaling
// group. Amazon EC2 Auto Scaling registers the running instances with these
@ -360,19 +369,28 @@ func (c *AutoScaling) AttachTrafficSourcesRequest(input *AttachTrafficSourcesInp
// AttachTrafficSources API operation for Auto Scaling.
//
// Reserved for use with Amazon VPC Lattice, which is in preview and subject
// to change. Do not use this API for production workloads. This API is also
// subject to change.
//
// Attaches one or more traffic sources to the specified Auto Scaling group.
//
// To describe the traffic sources for an Auto Scaling group, call the DescribeTrafficSources
// API. To detach a traffic source from the Auto Scaling group, call the DetachTrafficSources
// API.
// You can use any of the following as traffic sources for an Auto Scaling group:
//
// - Application Load Balancer
//
// - Classic Load Balancer
//
// - Gateway Load Balancer
//
// - Network Load Balancer
//
// - VPC Lattice
//
// This operation is additive and does not detach existing traffic sources from
// the Auto Scaling group.
//
// After the operation completes, use the DescribeTrafficSources API to return
// details about the state of the attachments between traffic sources and your
// Auto Scaling group. To detach a traffic source from the Auto Scaling group,
// call the DetachTrafficSources API.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
@ -2807,6 +2825,12 @@ func (c *AutoScaling) DescribeLoadBalancerTargetGroupsRequest(input *DescribeLoa
// DescribeLoadBalancerTargetGroups API operation for Auto Scaling.
//
// This API operation is superseded by DescribeTrafficSources, which can describe
// multiple traffic sources types. We recommend using DetachTrafficSources to
// simplify how you manage traffic sources. However, we continue to support
// DescribeLoadBalancerTargetGroups. You can use both the original DescribeLoadBalancerTargetGroups
// API operation and DescribeTrafficSources on the same Auto Scaling group.
//
// Gets information about the Elastic Load Balancing target groups for the specified
// Auto Scaling group.
//
@ -2918,11 +2942,17 @@ func (c *AutoScaling) DescribeLoadBalancersRequest(input *DescribeLoadBalancersI
// DescribeLoadBalancers API operation for Auto Scaling.
//
// This API operation is superseded by DescribeTrafficSources, which can describe
// multiple traffic sources types. We recommend using DescribeTrafficSources
// to simplify how you manage traffic sources. However, we continue to support
// DescribeLoadBalancers. You can use both the original DescribeLoadBalancers
// API operation and DescribeTrafficSources on the same Auto Scaling group.
//
// Gets information about the load balancers for the specified Auto Scaling
// group.
//
// This operation describes only Classic Load Balancers. If you have Application
// Load Balancers, Network Load Balancers, or Gateway Load Balancer, use the
// Load Balancers, Network Load Balancers, or Gateway Load Balancers, use the
// DescribeLoadBalancerTargetGroups API instead.
//
// To determine the attachment status of the load balancer, use the State element
@ -3990,6 +4020,12 @@ func (c *AutoScaling) DescribeTrafficSourcesRequest(input *DescribeTrafficSource
Name: opDescribeTrafficSources,
HTTPMethod: "POST",
HTTPPath: "/",
Paginator: &request.Paginator{
InputTokens: []string{"NextToken"},
OutputTokens: []string{"NextToken"},
LimitToken: "MaxRecords",
TruncationToken: "",
},
}
if input == nil {
@ -4003,13 +4039,15 @@ func (c *AutoScaling) DescribeTrafficSourcesRequest(input *DescribeTrafficSource
// DescribeTrafficSources API operation for Auto Scaling.
//
// Reserved for use with Amazon VPC Lattice, which is in preview and subject
// to change. Do not use this API for production workloads. This API is also
// subject to change.
//
// Gets information about the traffic sources for the specified Auto Scaling
// group.
//
// You can optionally provide a traffic source type. If you provide a traffic
// source type, then the results only include that traffic source type.
//
// If you do not provide a traffic source type, then the results include all
// the traffic sources for the specified Auto Scaling group.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
@ -4048,6 +4086,57 @@ func (c *AutoScaling) DescribeTrafficSourcesWithContext(ctx aws.Context, input *
return out, req.Send()
}
// DescribeTrafficSourcesPages iterates over the pages of a DescribeTrafficSources operation,
// calling the "fn" function with the response data for each page. To stop
// iterating, return false from the fn function.
//
// See DescribeTrafficSources method for more information on how to use this operation.
//
// Note: This operation can generate multiple requests to a service.
//
// // Example iterating over at most 3 pages of a DescribeTrafficSources operation.
// pageNum := 0
// err := client.DescribeTrafficSourcesPages(params,
// func(page *autoscaling.DescribeTrafficSourcesOutput, lastPage bool) bool {
// pageNum++
// fmt.Println(page)
// return pageNum <= 3
// })
func (c *AutoScaling) DescribeTrafficSourcesPages(input *DescribeTrafficSourcesInput, fn func(*DescribeTrafficSourcesOutput, bool) bool) error {
return c.DescribeTrafficSourcesPagesWithContext(aws.BackgroundContext(), input, fn)
}
// DescribeTrafficSourcesPagesWithContext same as DescribeTrafficSourcesPages except
// it takes a Context and allows setting request options on the pages.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func (c *AutoScaling) DescribeTrafficSourcesPagesWithContext(ctx aws.Context, input *DescribeTrafficSourcesInput, fn func(*DescribeTrafficSourcesOutput, bool) bool, opts ...request.Option) error {
p := request.Pagination{
NewRequest: func() (*request.Request, error) {
var inCpy *DescribeTrafficSourcesInput
if input != nil {
tmp := *input
inCpy = &tmp
}
req, _ := c.DescribeTrafficSourcesRequest(inCpy)
req.SetContext(ctx)
req.ApplyOptions(opts...)
return req, nil
},
}
for p.Next() {
if !fn(p.Page().(*DescribeTrafficSourcesOutput), !p.HasNextPage()) {
break
}
}
return p.Err()
}
const opDescribeWarmPool = "DescribeWarmPool"
// DescribeWarmPoolRequest generates a "aws/request.Request" representing the
@ -4278,6 +4367,12 @@ func (c *AutoScaling) DetachLoadBalancerTargetGroupsRequest(input *DetachLoadBal
// DetachLoadBalancerTargetGroups API operation for Auto Scaling.
//
// This API operation is superseded by DetachTrafficSources, which can detach
// multiple traffic sources types. We recommend using DetachTrafficSources to
// simplify how you manage traffic sources. However, we continue to support
// DetachLoadBalancerTargetGroups. You can use both the original DetachLoadBalancerTargetGroups
// API operation and DetachTrafficSources on the same Auto Scaling group.
//
// Detaches one or more target groups from the specified Auto Scaling group.
//
// When you detach a target group, it enters the Removing state while deregistering
@ -4367,11 +4462,17 @@ func (c *AutoScaling) DetachLoadBalancersRequest(input *DetachLoadBalancersInput
// DetachLoadBalancers API operation for Auto Scaling.
//
// This API operation is superseded by DetachTrafficSources, which can detach
// multiple traffic sources types. We recommend using DetachTrafficSources to
// simplify how you manage traffic sources. However, we continue to support
// DetachLoadBalancers. You can use both the original DetachLoadBalancers API
// operation and DetachTrafficSources on the same Auto Scaling group.
//
// Detaches one or more Classic Load Balancers from the specified Auto Scaling
// group.
//
// This operation detaches only Classic Load Balancers. If you have Application
// Load Balancers, Network Load Balancers, or Gateway Load Balancer, use the
// Load Balancers, Network Load Balancers, or Gateway Load Balancers, use the
// DetachLoadBalancerTargetGroups API instead.
//
// When you detach a load balancer, it enters the Removing state while deregistering
@ -4457,12 +4558,13 @@ func (c *AutoScaling) DetachTrafficSourcesRequest(input *DetachTrafficSourcesInp
// DetachTrafficSources API operation for Auto Scaling.
//
// Reserved for use with Amazon VPC Lattice, which is in preview and subject
// to change. Do not use this API for production workloads. This API is also
// subject to change.
//
// Detaches one or more traffic sources from the specified Auto Scaling group.
//
// When you detach a taffic, it enters the Removing state while deregistering
// the instances in the group. When all instances are deregistered, then you
// can no longer describe the traffic source using the DescribeTrafficSources
// API call. The instances continue to run.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
@ -7143,11 +7245,6 @@ type AttachTrafficSourcesInput struct {
// The unique identifiers of one or more traffic sources. You can specify up
// to 10 traffic sources.
//
// Currently, you must specify an Amazon Resource Name (ARN) for an existing
// VPC Lattice target group. Amazon EC2 Auto Scaling registers the running instances
// with the attached target groups. The target groups receive incoming traffic
// and route requests to one or more registered targets.
//
// TrafficSources is a required field
TrafficSources []*TrafficSourceIdentifier `type:"list" required:"true"`
}
@ -7925,14 +8022,14 @@ type CreateAutoScalingGroupInput struct {
// Default: 0 seconds
HealthCheckGracePeriod *int64 `type:"integer"`
// Determines whether any additional health checks are performed on the instances
// in this group. Amazon EC2 health checks are always on. For more information,
// see Health checks for Auto Scaling instances (https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html)
// A comma-separated value string of one or more health check types.
//
// The valid values are EC2, ELB, and VPC_LATTICE. EC2 is the default health
// check and cannot be disabled. For more information, see Health checks for
// Auto Scaling instances (https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html)
// in the Amazon EC2 Auto Scaling User Guide.
//
// The valid values are EC2 (default), ELB, and VPC_LATTICE. The VPC_LATTICE
// health check type is reserved for use with VPC Lattice, which is in preview
// release and is subject to change.
// Only specify EC2 if you must clear a value that was previously set.
HealthCheckType *string `min:"1" type:"string"`
// The ID of the instance used to base the launch configuration on. If specified,
@ -7970,7 +8067,7 @@ type CreateAutoScalingGroupInput struct {
// A list of Classic Load Balancers associated with this Auto Scaling group.
// For Application Load Balancers, Network Load Balancers, and Gateway Load
// Balancer, specify the TargetGroupARNs property instead.
// Balancers, specify the TargetGroupARNs property instead.
LoadBalancerNames []*string `type:"list"`
// The maximum amount of time, in seconds, that an instance can be in service.
@ -8055,16 +8152,10 @@ type CreateAutoScalingGroupInput struct {
// | arn:aws:lambda:region:account-id:function:my-function:my-alias
TerminationPolicies []*string `type:"list"`
// Reserved for use with Amazon VPC Lattice, which is in preview release and
// is subject to change. Do not use this parameter for production workloads.
// It is also subject to change.
//
// The unique identifiers of one or more traffic sources.
//
// Currently, you must specify an Amazon Resource Name (ARN) for an existing
// VPC Lattice target group. Amazon EC2 Auto Scaling registers the running instances
// with the attached target groups. The target groups receive incoming traffic
// and route requests to one or more registered targets.
// The list of traffic sources to attach to this Auto Scaling group. You can
// use any of the following as traffic sources for an Auto Scaling group: Classic
// Load Balancer, Application Load Balancer, Gateway Load Balancer, Network
// Load Balancer, and VPC Lattice.
TrafficSources []*TrafficSourceIdentifier `type:"list"`
// A comma-separated list of subnet IDs for a virtual private cloud (VPC) where
@ -11375,11 +11466,17 @@ type DescribeTrafficSourcesInput struct {
// a previous call.)
NextToken *string `type:"string"`
// The type of traffic source you are describing. Currently, the only valid
// value is vpc-lattice.
// The traffic source type that you want to describe.
//
// TrafficSourceType is a required field
TrafficSourceType *string `min:"1" type:"string" required:"true"`
// The following lists the valid values:
//
// * elb if the traffic source is a Classic Load Balancer.
//
// * elbv2 if the traffic source is a Application Load Balancer, Gateway
// Load Balancer, or Network Load Balancer.
//
// * vpc-lattice if the traffic source is VPC Lattice.
TrafficSourceType *string `min:"1" type:"string"`
}
// String returns the string representation.
@ -11409,9 +11506,6 @@ func (s *DescribeTrafficSourcesInput) Validate() error {
if s.AutoScalingGroupName != nil && len(*s.AutoScalingGroupName) < 1 {
invalidParams.Add(request.NewErrParamMinLen("AutoScalingGroupName", 1))
}
if s.TrafficSourceType == nil {
invalidParams.Add(request.NewErrParamRequired("TrafficSourceType"))
}
if s.TrafficSourceType != nil && len(*s.TrafficSourceType) < 1 {
invalidParams.Add(request.NewErrParamMinLen("TrafficSourceType", 1))
}
@ -11967,14 +12061,8 @@ type DetachTrafficSourcesInput struct {
// AutoScalingGroupName is a required field
AutoScalingGroupName *string `min:"1" type:"string" required:"true"`
// The unique identifiers of one or more traffic sources you are detaching.
// You can specify up to 10 traffic sources.
//
// Currently, you must specify an Amazon Resource Name (ARN) for an existing
// VPC Lattice target group. When you detach a target group, it enters the Removing
// state while deregistering the instances in the group. When all instances
// are deregistered, then you can no longer describe the target group using
// the DescribeTrafficSources API call. The instances continue to run.
// The unique identifiers of one or more traffic sources. You can specify up
// to 10 traffic sources.
//
// TrafficSources is a required field
TrafficSources []*TrafficSourceIdentifier `type:"list" required:"true"`
@ -13251,12 +13339,7 @@ type Group struct {
// The duration of the health check grace period, in seconds.
HealthCheckGracePeriod *int64 `type:"integer"`
// Determines whether any additional health checks are performed on the instances
// in this group. Amazon EC2 health checks are always on.
//
// The valid values are EC2 (default), ELB, and VPC_LATTICE. The VPC_LATTICE
// health check type is reserved for use with VPC Lattice, which is in preview
// release and is subject to change.
// A comma-separated value string of one or more health check types.
//
// HealthCheckType is a required field
HealthCheckType *string `min:"1" type:"string" required:"true"`
@ -13321,11 +13404,7 @@ type Group struct {
// The termination policies for the group.
TerminationPolicies []*string `type:"list"`
// Reserved for use with Amazon VPC Lattice, which is in preview release and
// is subject to change. Do not use this parameter for production workloads.
// It is also subject to change.
//
// The unique identifiers of the traffic sources.
// The traffic sources associated with this Auto Scaling group.
TrafficSources []*TrafficSourceIdentifier `type:"list"`
// One or more subnet IDs, if applicable, separated by commas.
@ -13569,10 +13648,10 @@ type Instance struct {
// AvailabilityZone is a required field
AvailabilityZone *string `min:"1" type:"string" required:"true"`
// The last reported health status of the instance. "Healthy" means that the
// instance is healthy and should remain in service. "Unhealthy" means that
// the instance is unhealthy and that Amazon EC2 Auto Scaling should terminate
// and replace it.
// The last reported health status of the instance. Healthy means that the instance
// is healthy and should remain in service. Unhealthy means that the instance
// is unhealthy and that Amazon EC2 Auto Scaling should terminate and replace
// it.
//
// HealthStatus is a required field
HealthStatus *string `min:"1" type:"string" required:"true"`
@ -13697,10 +13776,10 @@ type InstanceDetails struct {
// AvailabilityZone is a required field
AvailabilityZone *string `min:"1" type:"string" required:"true"`
// The last reported health status of this instance. "Healthy" means that the
// instance is healthy and should remain in service. "Unhealthy" means that
// the instance is unhealthy and Amazon EC2 Auto Scaling should terminate and
// replace it.
// The last reported health status of this instance. Healthy means that the
// instance is healthy and should remain in service. Unhealthy means that the
// instance is unhealthy and Amazon EC2 Auto Scaling should terminate and replace
// it.
//
// HealthStatus is a required field
HealthStatus *string `min:"1" type:"string" required:"true"`
@ -13974,7 +14053,7 @@ type InstanceRefresh struct {
// rollback. This value gradually goes back down to zero during a rollback.
PercentageComplete *int64 `type:"integer"`
// Describes the preferences for an instance refresh.
// The preferences for an instance refresh.
Preferences *RefreshPreferences `type:"structure"`
// Additional progress details for an Auto Scaling group that has a warm pool.
@ -20471,8 +20550,8 @@ func (s *TargetTrackingMetricDataQuery) SetReturnData(v bool) *TargetTrackingMet
return s
}
// This structure defines the CloudWatch metric to return, along with the statistic,
// period, and unit.
// This structure defines the CloudWatch metric to return, along with the statistic
// and unit.
//
// For more information about the CloudWatch terminology below, see Amazon CloudWatch
// concepts (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html)
@ -20480,7 +20559,7 @@ func (s *TargetTrackingMetricDataQuery) SetReturnData(v bool) *TargetTrackingMet
type TargetTrackingMetricStat struct {
_ struct{} `type:"structure"`
// Represents a specific metric.
// The metric to use.
//
// Metric is a required field
Metric *Metric `type:"structure" required:"true"`
@ -20489,7 +20568,7 @@ type TargetTrackingMetricStat struct {
// statistic. For a list of valid values, see the table in Statistics (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch_concepts.html#Statistic)
// in the Amazon CloudWatch User Guide.
//
// The most commonly used metrics for scaling is Average
// The most commonly used metric for scaling is Average.
//
// Stat is a required field
Stat *string `min:"1" type:"string" required:"true"`
@ -20697,15 +20776,51 @@ func (s *TotalLocalStorageGBRequest) SetMin(v float64) *TotalLocalStorageGBReque
return s
}
// Describes the identifier of a traffic source.
//
// Currently, you must specify an Amazon Resource Name (ARN) for an existing
// VPC Lattice target group.
// Identifying information for a traffic source.
type TrafficSourceIdentifier struct {
_ struct{} `type:"structure"`
// The unique identifier of the traffic source.
Identifier *string `min:"1" type:"string"`
// Identifies the traffic source.
//
// For Application Load Balancers, Gateway Load Balancers, Network Load Balancers,
// and VPC Lattice, this will be the Amazon Resource Name (ARN) for a target
// group in this account and Region. For Classic Load Balancers, this will be
// the name of the Classic Load Balancer in this account and Region.
//
// For example:
//
// * Application Load Balancer ARN: arn:aws:elasticloadbalancing:us-west-2:123456789012:targetgroup/my-targets/1234567890123456
//
// * Classic Load Balancer name: my-classic-load-balancer
//
// * VPC Lattice ARN: arn:aws:vpc-lattice:us-west-2:123456789012:targetgroup/tg-1234567890123456
//
// To get the ARN of a target group for a Application Load Balancer, Gateway
// Load Balancer, or Network Load Balancer, or the name of a Classic Load Balancer,
// use the Elastic Load Balancing DescribeTargetGroups (https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_DescribeTargetGroups.html)
// and DescribeLoadBalancers (https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_DescribeLoadBalancers.html)
// API operations.
//
// To get the ARN of a target group for VPC Lattice, use the VPC Lattice GetTargetGroup
// (https://docs.aws.amazon.com/vpc-lattice/latest/APIReference/API_GetTargetGroup.html)
// API operation.
//
// Identifier is a required field
Identifier *string `min:"1" type:"string" required:"true"`
// Provides additional context for the value of Identifier.
//
// The following lists the valid values:
//
// * elb if Identifier is the name of a Classic Load Balancer.
//
// * elbv2 if Identifier is the ARN of an Application Load Balancer, Gateway
// Load Balancer, or Network Load Balancer target group.
//
// * vpc-lattice if Identifier is the ARN of a VPC Lattice target group.
//
// Required if the identifier is the name of a Classic Load Balancer.
Type *string `min:"1" type:"string"`
}
// String returns the string representation.
@ -20729,9 +20844,15 @@ func (s TrafficSourceIdentifier) GoString() string {
// Validate inspects the fields of the type to determine if they are valid.
func (s *TrafficSourceIdentifier) Validate() error {
invalidParams := request.ErrInvalidParams{Context: "TrafficSourceIdentifier"}
if s.Identifier == nil {
invalidParams.Add(request.NewErrParamRequired("Identifier"))
}
if s.Identifier != nil && len(*s.Identifier) < 1 {
invalidParams.Add(request.NewErrParamMinLen("Identifier", 1))
}
if s.Type != nil && len(*s.Type) < 1 {
invalidParams.Add(request.NewErrParamMinLen("Type", 1))
}
if invalidParams.Len() > 0 {
return invalidParams
@ -20745,31 +20866,61 @@ func (s *TrafficSourceIdentifier) SetIdentifier(v string) *TrafficSourceIdentifi
return s
}
// SetType sets the Type field's value.
func (s *TrafficSourceIdentifier) SetType(v string) *TrafficSourceIdentifier {
s.Type = &v
return s
}
// Describes the state of a traffic source.
type TrafficSourceState struct {
_ struct{} `type:"structure"`
// The following are the possible states for a VPC Lattice target group:
// The unique identifier of the traffic source.
Identifier *string `min:"1" type:"string"`
// Describes the current state of a traffic source.
//
// * Adding - The Auto Scaling instances are being registered with the target
// group.
// The state values are as follows:
//
// * Added - All Auto Scaling instances are registered with the target group.
// * Adding - The Auto Scaling instances are being registered with the load
// balancer or target group.
//
// * InService - At least one Auto Scaling instance passed the VPC_LATTICE
// health check.
// * Added - All Auto Scaling instances are registered with the load balancer
// or target group.
//
// * InService - For an Elastic Load Balancing load balancer or target group,
// at least one Auto Scaling instance passed an ELB health check. For VPC
// Lattice, at least one Auto Scaling instance passed an VPC_LATTICE health
// check.
//
// * Removing - The Auto Scaling instances are being deregistered from the
// target group. If connection draining is enabled, VPC Lattice waits for
// in-flight requests to complete before deregistering the instances.
// load balancer or target group. If connection draining (deregistration
// delay) is enabled, Elastic Load Balancing or VPC Lattice waits for in-flight
// requests to complete before deregistering the instances.
//
// * Removed - All Auto Scaling instances are deregistered from the target
// group.
// * Removed - All Auto Scaling instances are deregistered from the load
// balancer or target group.
State *string `min:"1" type:"string"`
// The unique identifier of the traffic source. Currently, this is the Amazon
// Resource Name (ARN) for a VPC Lattice target group.
TrafficSource *string `min:"1" type:"string"`
// This is replaced by Identifier.
//
// Deprecated: TrafficSource has been replaced by Identifier
TrafficSource *string `min:"1" deprecated:"true" type:"string"`
// Provides additional context for the value of Identifier.
//
// The following lists the valid values:
//
// * elb if Identifier is the name of a Classic Load Balancer.
//
// * elbv2 if Identifier is the ARN of an Application Load Balancer, Gateway
// Load Balancer, or Network Load Balancer target group.
//
// * vpc-lattice if Identifier is the ARN of a VPC Lattice target group.
//
// Required if the identifier is the name of a Classic Load Balancer.
Type *string `min:"1" type:"string"`
}
// String returns the string representation.
@ -20790,6 +20941,12 @@ func (s TrafficSourceState) GoString() string {
return s.String()
}
// SetIdentifier sets the Identifier field's value.
func (s *TrafficSourceState) SetIdentifier(v string) *TrafficSourceState {
s.Identifier = &v
return s
}
// SetState sets the State field's value.
func (s *TrafficSourceState) SetState(v string) *TrafficSourceState {
s.State = &v
@ -20802,6 +20959,12 @@ func (s *TrafficSourceState) SetTrafficSource(v string) *TrafficSourceState {
return s
}
// SetType sets the Type field's value.
func (s *TrafficSourceState) SetType(v string) *TrafficSourceState {
s.Type = &v
return s
}
type UpdateAutoScalingGroupInput struct {
_ struct{} `type:"structure"`
@ -20876,12 +21039,14 @@ type UpdateAutoScalingGroupInput struct {
// in the Amazon EC2 Auto Scaling User Guide.
HealthCheckGracePeriod *int64 `type:"integer"`
// Determines whether any additional health checks are performed on the instances
// in this group. Amazon EC2 health checks are always on.
// A comma-separated value string of one or more health check types.
//
// The valid values are EC2 (default), ELB, and VPC_LATTICE. The VPC_LATTICE
// health check type is reserved for use with VPC Lattice, which is in preview
// release and is subject to change.
// The valid values are EC2, ELB, and VPC_LATTICE. EC2 is the default health
// check and cannot be disabled. For more information, see Health checks for
// Auto Scaling instances (https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html)
// in the Amazon EC2 Auto Scaling User Guide.
//
// Only specify EC2 if you must clear a value that was previously set.
HealthCheckType *string `min:"1" type:"string"`
// The name of the launch configuration. If you specify LaunchConfigurationName
@ -21884,6 +22049,9 @@ const (
// ScalingActivityStatusCodeCancelled is a ScalingActivityStatusCode enum value
ScalingActivityStatusCodeCancelled = "Cancelled"
// ScalingActivityStatusCodeWaitingForConnectionDraining is a ScalingActivityStatusCode enum value
ScalingActivityStatusCodeWaitingForConnectionDraining = "WaitingForConnectionDraining"
)
// ScalingActivityStatusCode_Values returns all elements of the ScalingActivityStatusCode enum
@ -21901,6 +22069,7 @@ func ScalingActivityStatusCode_Values() []string {
ScalingActivityStatusCodeSuccessful,
ScalingActivityStatusCodeFailed,
ScalingActivityStatusCodeCancelled,
ScalingActivityStatusCodeWaitingForConnectionDraining,
}
}

3459
vendor/github.com/aws/aws-sdk-go/service/ec2/api.go generated vendored
View file

File diff suppressed because it is too large Load diff

22
vendor/github.com/aws/aws-sdk-go/service/ec2/customizations.go generated vendored
View file

@ -11,6 +11,9 @@ import (
)
const (
// ec2CopySnapshotPresignedUrlCustomization handler name
ec2CopySnapshotPresignedUrlCustomization = "ec2CopySnapshotPresignedUrl"
// customRetryerMinRetryDelay sets min retry delay
customRetryerMinRetryDelay = 1 * time.Second
@ -21,7 +24,10 @@ const (
func init() {
initRequest = func(r *request.Request) {
if r.Operation.Name == opCopySnapshot { // fill the PresignedURL parameter
r.Handlers.Build.PushFront(fillPresignedURL)
r.Handlers.Build.PushFrontNamed(request.NamedHandler{
Name: ec2CopySnapshotPresignedUrlCustomization,
Fn: fillPresignedURL,
})
}
// only set the retryer on request if config doesn't have a retryer
@ -48,13 +54,15 @@ func fillPresignedURL(r *request.Request) {
origParams := r.Params.(*CopySnapshotInput)
// Stop if PresignedURL/DestinationRegion is set
if origParams.PresignedUrl != nil || origParams.DestinationRegion != nil {
// Stop if PresignedURL is set
if origParams.PresignedUrl != nil {
return
}
// Always use config region as destination region for SDKs
origParams.DestinationRegion = r.Config.Region
newParams := awsutil.CopyOf(r.Params).(*CopySnapshotInput)
newParams := awsutil.CopyOf(origParams).(*CopySnapshotInput)
// Create a new request based on the existing request. We will use this to
// presign the CopySnapshot request against the source region.
@ -82,8 +90,12 @@ func fillPresignedURL(r *request.Request) {
clientInfo.Endpoint = resolved.URL
clientInfo.SigningRegion = resolved.SigningRegion
// Copy handlers without Presigned URL customization to avoid an infinite loop
handlersWithoutPresignCustomization := r.Handlers.Copy()
handlersWithoutPresignCustomization.Build.RemoveByName(ec2CopySnapshotPresignedUrlCustomization)
// Presign a CopySnapshot request with modified params
req := request.New(*cfg, clientInfo, r.Handlers, r.Retryer, r.Operation, newParams, r.Data)
req := request.New(*cfg, clientInfo, handlersWithoutPresignCustomization, r.Retryer, r.Operation, newParams, r.Data)
url, err := req.Presign(5 * time.Minute) // 5 minutes should be enough.
if err != nil { // bubble error back up to original request
r.Error = err

1845
vendor/github.com/aws/aws-sdk-go/service/s3/api.go generated vendored
View file

File diff suppressed because it is too large Load diff

46
vendor/github.com/aws/aws-sdk-go/service/s3/s3manager/upload_input.go generated vendored
View file

@ -40,21 +40,21 @@ type UploadInput struct {
// information about access point ARNs, see Using access points (https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-access-points.html)
// in the Amazon S3 User Guide.
//
// When using this action with Amazon S3 on Outposts, you must direct requests
// When you use this action with Amazon S3 on Outposts, you must direct requests
// to the S3 on Outposts hostname. The S3 on Outposts hostname takes the form
// AccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When
// using this action with S3 on Outposts through the Amazon Web Services SDKs,
// you provide the Outposts bucket ARN in place of the bucket name. For more
// information about S3 on Outposts ARNs, see Using Amazon S3 on Outposts (https://docs.aws.amazon.com/AmazonS3/latest/userguide/S3onOutposts.html)
// you use this action with S3 on Outposts through the Amazon Web Services SDKs,
// you provide the Outposts access point ARN in place of the bucket name. For
// more information about S3 on Outposts ARNs, see What is S3 on Outposts? (https://docs.aws.amazon.com/AmazonS3/latest/userguide/S3onOutposts.html)
// in the Amazon S3 User Guide.
//
// Bucket is a required field
Bucket *string `location:"uri" locationName:"Bucket" type:"string" required:"true"`
// Specifies whether Amazon S3 should use an S3 Bucket Key for object encryption
// with server-side encryption using AWS KMS (SSE-KMS). Setting this header
// to true causes Amazon S3 to use an S3 Bucket Key for object encryption with
// SSE-KMS.
// with server-side encryption using Key Management Service (KMS) keys (SSE-KMS).
// Setting this header to true causes Amazon S3 to use an S3 Bucket Key for
// object encryption with SSE-KMS.
//
// Specifying this header with a PUT action doesnt affect bucket-level settings
// for S3 Bucket Key.
@ -111,13 +111,13 @@ type UploadInput struct {
ChecksumSHA256 *string `location:"header" locationName:"x-amz-checksum-sha256" type:"string"`
// Specifies presentational information for the object. For more information,
// see http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html#sec19.5.1).
// see https://www.rfc-editor.org/rfc/rfc6266#section-4 (https://www.rfc-editor.org/rfc/rfc6266#section-4).
ContentDisposition *string `location:"header" locationName:"Content-Disposition" type:"string"`
// Specifies what content encodings have been applied to the object and thus
// what decoding mechanisms must be applied to obtain the media-type referenced
// by the Content-Type header field. For more information, see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11
// (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11).
// by the Content-Type header field. For more information, see https://www.rfc-editor.org/rfc/rfc9110.html#field.content-encoding
// (https://www.rfc-editor.org/rfc/rfc9110.html#field.content-encoding).
ContentEncoding *string `location:"header" locationName:"Content-Encoding" type:"string"`
// The language the content is in.
@ -135,7 +135,7 @@ type UploadInput struct {
ContentMD5 *string `location:"header" locationName:"Content-MD5" type:"string"`
// A standard MIME type describing the format of the contents. For more information,
// see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17).
// see https://www.rfc-editor.org/rfc/rfc9110.html#name-content-type (https://www.rfc-editor.org/rfc/rfc9110.html#name-content-type).
ContentType *string `location:"header" locationName:"Content-Type" type:"string"`
// The account ID of the expected bucket owner. If the bucket is owned by a
@ -144,7 +144,7 @@ type UploadInput struct {
ExpectedBucketOwner *string `location:"header" locationName:"x-amz-expected-bucket-owner" type:"string"`
// The date and time at which the object is no longer cacheable. For more information,
// see http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.21 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.21).
// see https://www.rfc-editor.org/rfc/rfc7234#section-5.3 (https://www.rfc-editor.org/rfc/rfc7234#section-5.3).
Expires *time.Time `location:"header" locationName:"Expires" type:"timestamp"`
// Gives the grantee READ, READ_ACP, and WRITE_ACP permissions on the object.
@ -211,21 +211,23 @@ type UploadInput struct {
// Specifies the Amazon Web Services KMS Encryption Context to use for object
// encryption. The value of this header is a base64-encoded UTF-8 string holding
// JSON with the encryption context key-value pairs.
// JSON with the encryption context key-value pairs. This value is stored as
// object metadata and automatically gets passed on to Amazon Web Services KMS
// for future GetObject or CopyObject operations on this object.
SSEKMSEncryptionContext *string `location:"header" locationName:"x-amz-server-side-encryption-context" type:"string" sensitive:"true"`
// If x-amz-server-side-encryption is present and has the value of aws:kms,
// this header specifies the ID of the Amazon Web Services Key Management Service
// (Amazon Web Services KMS) symmetrical customer managed key that was used
// for the object. If you specify x-amz-server-side-encryption:aws:kms, but
// do not providex-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses
// the Amazon Web Services managed key to protect the data. If the KMS key does
// not exist in the same account issuing the command, you must use the full
// ARN and not just the ID.
// If x-amz-server-side-encryption has a valid value of aws:kms or aws:kms:dsse,
// this header specifies the ID of the Key Management Service (KMS) symmetric
// encryption customer managed key that was used for the object. If you specify
// x-amz-server-side-encryption:aws:kms or x-amz-server-side-encryption:aws:kms:dsse,
// but do not providex-amz-server-side-encryption-aws-kms-key-id, Amazon S3
// uses the Amazon Web Services managed key (aws/s3) to protect the data. If
// the KMS key does not exist in the same account that's issuing the command,
// you must use the full ARN and not just the ID.
SSEKMSKeyId *string `location:"header" locationName:"x-amz-server-side-encryption-aws-kms-key-id" type:"string" sensitive:"true"`
// The server-side encryption algorithm used when storing this object in Amazon
// S3 (for example, AES256, aws:kms).
// S3 (for example, AES256, aws:kms, aws:kms:dsse).
ServerSideEncryption *string `location:"header" locationName:"x-amz-server-side-encryption" type:"string" enum:"ServerSideEncryption"`
// By default, Amazon S3 uses the STANDARD Storage Class to store newly created

1682
vendor/github.com/aws/aws-sdk-go/service/ssooidc/api.go generated vendored Normal file
View file

File diff suppressed because it is too large Load diff

66
vendor/github.com/aws/aws-sdk-go/service/ssooidc/doc.go generated vendored Normal file
View file

@ -0,0 +1,66 @@
// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
// Package ssooidc provides the client and types for making API
// requests to AWS SSO OIDC.
//
// AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect
// (OIDC) is a web service that enables a client (such as AWS CLI or a native
// application) to register with IAM Identity Center. The service also enables
// the client to fetch the users access token upon successful authentication
// and authorization with IAM Identity Center.
//
// Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces
// will continue to retain their original name for backward compatibility purposes.
// For more information, see IAM Identity Center rename (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed).
//
// # Considerations for Using This Guide
//
// Before you begin using this guide, we recommend that you first review the
// following important information about how the IAM Identity Center OIDC service
// works.
//
// - The IAM Identity Center OIDC service currently implements only the portions
// of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628
// (https://tools.ietf.org/html/rfc8628)) that are necessary to enable single
// sign-on authentication with the AWS CLI. Support for other OIDC flows
// frequently needed for native applications, such as Authorization Code
// Flow (+ PKCE), will be addressed in future releases.
//
// - The service emits only OIDC access tokens, such that obtaining a new
// token (For example, token refresh) requires explicit user re-authentication.
//
// - The access tokens provided by this service grant access to all AWS account
// entitlements assigned to an IAM Identity Center user, not just a particular
// application.
//
// - The documentation in this guide does not describe the mechanism to convert
// the access token into AWS Auth (“sigv4”) credentials for use with
// IAM-protected AWS service endpoints. For more information, see GetRoleCredentials
// (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html)
// in the IAM Identity Center Portal API Reference Guide.
//
// For general information about IAM Identity Center, see What is IAM Identity
// Center? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
// in the IAM Identity Center User Guide.
//
// See https://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10 for more information on this service.
//
// See ssooidc package documentation for more information.
// https://docs.aws.amazon.com/sdk-for-go/api/service/ssooidc/
//
// # Using the Client
//
// To contact AWS SSO OIDC with the SDK use the New function to create
// a new service client. With that client you can make API requests to the service.
// These clients are safe to use concurrently.
//
// See the SDK's documentation for more information on how to use the SDK.
// https://docs.aws.amazon.com/sdk-for-go/api/
//
// See aws.Config documentation for more information on configuring SDK clients.
// https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config
//
// See the AWS SSO OIDC client SSOOIDC for more
// information on creating client for this service.
// https://docs.aws.amazon.com/sdk-for-go/api/service/ssooidc/#New
package ssooidc

107
vendor/github.com/aws/aws-sdk-go/service/ssooidc/errors.go generated vendored Normal file
View file

@ -0,0 +1,107 @@
// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
package ssooidc
import (
"github.com/aws/aws-sdk-go/private/protocol"
)
const (
// ErrCodeAccessDeniedException for service response error code
// "AccessDeniedException".
//
// You do not have sufficient access to perform this action.
ErrCodeAccessDeniedException = "AccessDeniedException"
// ErrCodeAuthorizationPendingException for service response error code
// "AuthorizationPendingException".
//
// Indicates that a request to authorize a client with an access user session
// token is pending.
ErrCodeAuthorizationPendingException = "AuthorizationPendingException"
// ErrCodeExpiredTokenException for service response error code
// "ExpiredTokenException".
//
// Indicates that the token issued by the service is expired and is no longer
// valid.
ErrCodeExpiredTokenException = "ExpiredTokenException"
// ErrCodeInternalServerException for service response error code
// "InternalServerException".
//
// Indicates that an error from the service occurred while trying to process
// a request.
ErrCodeInternalServerException = "InternalServerException"
// ErrCodeInvalidClientException for service response error code
// "InvalidClientException".
//
// Indicates that the clientId or clientSecret in the request is invalid. For
// example, this can occur when a client sends an incorrect clientId or an expired
// clientSecret.
ErrCodeInvalidClientException = "InvalidClientException"
// ErrCodeInvalidClientMetadataException for service response error code
// "InvalidClientMetadataException".
//
// Indicates that the client information sent in the request during registration
// is invalid.
ErrCodeInvalidClientMetadataException = "InvalidClientMetadataException"
// ErrCodeInvalidGrantException for service response error code
// "InvalidGrantException".
//
// Indicates that a request contains an invalid grant. This can occur if a client
// makes a CreateToken request with an invalid grant type.
ErrCodeInvalidGrantException = "InvalidGrantException"
// ErrCodeInvalidRequestException for service response error code
// "InvalidRequestException".
//
// Indicates that something is wrong with the input to the request. For example,
// a required parameter might be missing or out of range.
ErrCodeInvalidRequestException = "InvalidRequestException"
// ErrCodeInvalidScopeException for service response error code
// "InvalidScopeException".
//
// Indicates that the scope provided in the request is invalid.
ErrCodeInvalidScopeException = "InvalidScopeException"
// ErrCodeSlowDownException for service response error code
// "SlowDownException".
//
// Indicates that the client is making the request too frequently and is more
// than the service can handle.
ErrCodeSlowDownException = "SlowDownException"
// ErrCodeUnauthorizedClientException for service response error code
// "UnauthorizedClientException".
//
// Indicates that the client is not currently authorized to make the request.
// This can happen when a clientId is not issued for a public client.
ErrCodeUnauthorizedClientException = "UnauthorizedClientException"
// ErrCodeUnsupportedGrantTypeException for service response error code
// "UnsupportedGrantTypeException".
//
// Indicates that the grant type in the request is not supported by the service.
ErrCodeUnsupportedGrantTypeException = "UnsupportedGrantTypeException"
)
var exceptionFromCode = map[string]func(protocol.ResponseMetadata) error{
"AccessDeniedException": newErrorAccessDeniedException,
"AuthorizationPendingException": newErrorAuthorizationPendingException,
"ExpiredTokenException": newErrorExpiredTokenException,
"InternalServerException": newErrorInternalServerException,
"InvalidClientException": newErrorInvalidClientException,
"InvalidClientMetadataException": newErrorInvalidClientMetadataException,
"InvalidGrantException": newErrorInvalidGrantException,
"InvalidRequestException": newErrorInvalidRequestException,
"InvalidScopeException": newErrorInvalidScopeException,
"SlowDownException": newErrorSlowDownException,
"UnauthorizedClientException": newErrorUnauthorizedClientException,
"UnsupportedGrantTypeException": newErrorUnsupportedGrantTypeException,
}

106
vendor/github.com/aws/aws-sdk-go/service/ssooidc/service.go generated vendored Normal file
View file

@ -0,0 +1,106 @@
// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
package ssooidc
import (
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/client"
"github.com/aws/aws-sdk-go/aws/client/metadata"
"github.com/aws/aws-sdk-go/aws/request"
"github.com/aws/aws-sdk-go/aws/signer/v4"
"github.com/aws/aws-sdk-go/private/protocol"
"github.com/aws/aws-sdk-go/private/protocol/restjson"
)
// SSOOIDC provides the API operation methods for making requests to
// AWS SSO OIDC. See this package's package overview docs
// for details on the service.
//
// SSOOIDC methods are safe to use concurrently. It is not safe to
// modify mutate any of the struct's properties though.
type SSOOIDC struct {
*client.Client
}
// Used for custom client initialization logic
var initClient func(*client.Client)
// Used for custom request initialization logic
var initRequest func(*request.Request)
// Service information constants
const (
ServiceName = "SSO OIDC" // Name of service.
EndpointsID = "oidc" // ID to lookup a service endpoint with.
ServiceID = "SSO OIDC" // ServiceID is a unique identifier of a specific service.
)
// New creates a new instance of the SSOOIDC client with a session.
// If additional configuration is needed for the client instance use the optional
// aws.Config parameter to add your extra config.
//
// Example:
//
// mySession := session.Must(session.NewSession())
//
// // Create a SSOOIDC client from just a session.
// svc := ssooidc.New(mySession)
//
// // Create a SSOOIDC client with additional configuration
// svc := ssooidc.New(mySession, aws.NewConfig().WithRegion("us-west-2"))
func New(p client.ConfigProvider, cfgs ...*aws.Config) *SSOOIDC {
c := p.ClientConfig(EndpointsID, cfgs...)
if c.SigningNameDerived || len(c.SigningName) == 0 {
c.SigningName = "awsssooidc"
}
return newClient(*c.Config, c.Handlers, c.PartitionID, c.Endpoint, c.SigningRegion, c.SigningName, c.ResolvedRegion)
}
// newClient creates, initializes and returns a new service client instance.
func newClient(cfg aws.Config, handlers request.Handlers, partitionID, endpoint, signingRegion, signingName, resolvedRegion string) *SSOOIDC {
svc := &SSOOIDC{
Client: client.New(
cfg,
metadata.ClientInfo{
ServiceName: ServiceName,
ServiceID: ServiceID,
SigningName: signingName,
SigningRegion: signingRegion,
PartitionID: partitionID,
Endpoint: endpoint,
APIVersion: "2019-06-10",
ResolvedRegion: resolvedRegion,
},
handlers,
),
}
// Handlers
svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler)
svc.Handlers.Build.PushBackNamed(restjson.BuildHandler)
svc.Handlers.Unmarshal.PushBackNamed(restjson.UnmarshalHandler)
svc.Handlers.UnmarshalMeta.PushBackNamed(restjson.UnmarshalMetaHandler)
svc.Handlers.UnmarshalError.PushBackNamed(
protocol.NewUnmarshalErrorHandler(restjson.NewUnmarshalTypedError(exceptionFromCode)).NamedHandler(),
)
// Run custom client initialization if present
if initClient != nil {
initClient(svc.Client)
}
return svc
}
// newRequest creates a new request for a SSOOIDC operation and runs any
// custom request initialization.
func (c *SSOOIDC) newRequest(op *request.Operation, params, data interface{}) *request.Request {
req := c.NewRequest(op, params, data)
// Run custom request initialization if present
if initRequest != nil {
initRequest(req)
}
return req
}

135
vendor/github.com/aws/aws-sdk-go/service/sts/api.go generated vendored
View file

@ -85,9 +85,9 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
//
// When you create a role, you create two policies: A role trust policy that
// specifies who can assume the role and a permissions policy that specifies
// what can be done with the role. You specify the trusted principal who is
// When you create a role, you create two policies: a role trust policy that
// specifies who can assume the role, and a permissions policy that specifies
// what can be done with the role. You specify the trusted principal that is
// allowed to assume the role in the role trust policy.
//
// To assume a role from a different account, your Amazon Web Services account
@ -96,9 +96,9 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
// are allowed to delegate that access to users in the account.
//
// A user who wants to access a role in a different account must also have permissions
// that are delegated from the user account administrator. The administrator
// must attach a policy that allows the user to call AssumeRole for the ARN
// of the role in the other account.
// that are delegated from the account administrator. The administrator must
// attach a policy that allows the user to call AssumeRole for the ARN of the
// role in the other account.
//
// To allow a user to assume a role in the same account, you can do either of
// the following:
@ -517,10 +517,8 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
// a user. You can also supply the user with a consistent identity throughout
// the lifetime of an application.
//
// To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
// in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito
// Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
// in the Amazon Web Services SDK for iOS Developer Guide.
// To learn more about Amazon Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
// in Amazon Cognito Developer Guide.
//
// Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web
// Services security credentials. Therefore, you can distribute an application
@ -984,11 +982,11 @@ func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *requ
// call the operation.
//
// No permissions are required to perform this operation. If an administrator
// adds a policy to your IAM user or role that explicitly denies access to the
// sts:GetCallerIdentity action, you can still perform this operation. Permissions
// are not required because the same information is returned when an IAM user
// or role is denied access. To view an example response, see I Am Not Authorized
// to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
// attaches a policy to your identity that explicitly denies access to the sts:GetCallerIdentity
// action, you can still perform this operation. Permissions are not required
// because the same information is returned when access is denied. To view an
// example response, see I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
// in the IAM User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@ -1063,18 +1061,26 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
// GetFederationToken API operation for AWS Security Token Service.
//
// Returns a set of temporary security credentials (consisting of an access
// key ID, a secret access key, and a security token) for a federated user.
// A typical use is in a proxy application that gets temporary security credentials
// on behalf of distributed applications inside a corporate network. You must
// call the GetFederationToken operation using the long-term security credentials
// of an IAM user. As a result, this call is appropriate in contexts where those
// credentials can be safely stored, usually in a server-based application.
// key ID, a secret access key, and a security token) for a user. A typical
// use is in a proxy application that gets temporary security credentials on
// behalf of distributed applications inside a corporate network.
//
// You must call the GetFederationToken operation using the long-term security
// credentials of an IAM user. As a result, this call is appropriate in contexts
// where those credentials can be safeguarded, usually in a server-based application.
// For a comparison of GetFederationToken with the other API operations that
// produce temporary credentials, see Requesting Temporary Security Credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide.
//
// Although it is possible to call GetFederationToken using the security credentials
// of an Amazon Web Services account root user rather than an IAM user that
// you create for the purpose of a proxy application, we do not recommend it.
// For more information, see Safeguard your root user credentials and don't
// use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
// in the IAM User Guide.
//
// You can create a mobile-based or browser-based app that can authenticate
// users using a web identity provider like Login with Amazon, Facebook, Google,
// or an OpenID Connect-compatible identity provider. In this case, we recommend
@ -1083,21 +1089,13 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// in the IAM User Guide.
//
// You can also call GetFederationToken using the security credentials of an
// Amazon Web Services account root user, but we do not recommend it. Instead,
// we recommend that you create an IAM user for the purpose of the proxy application.
// Then attach a policy to the IAM user that limits federated users to only
// the actions and resources that they need to access. For more information,
// see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
// in the IAM User Guide.
//
// # Session duration
//
// The temporary credentials are valid for the specified duration, from 900
// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
// session duration is 43,200 seconds (12 hours). Temporary credentials obtained
// by using the Amazon Web Services account root user credentials have a maximum
// duration of 3,600 seconds (1 hour).
// by using the root user credentials have a maximum duration of 3,600 seconds
// (1 hour).
//
// # Permissions
//
@ -1267,12 +1265,13 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
// or IAM user. The credentials consist of an access key ID, a secret access
// key, and a security token. Typically, you use GetSessionToken if you want
// to use MFA to protect programmatic calls to specific Amazon Web Services
// API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would
// need to call GetSessionToken and submit an MFA code that is associated with
// their MFA device. Using the temporary security credentials that are returned
// from the call, IAM users can then make programmatic calls to API operations
// that require MFA authentication. If you do not supply a correct MFA code,
// then the API returns an access denied error. For a comparison of GetSessionToken
// API operations like Amazon EC2 StopInstances.
//
// MFA-enabled IAM users must call GetSessionToken and submit an MFA code that
// is associated with their MFA device. Using the temporary security credentials
// that the call returns, IAM users can then make programmatic calls to API
// operations that require MFA authentication. An incorrect MFA code causes
// the API to return an access denied error. For a comparison of GetSessionToken
// with the other API operations that produce temporary credentials, see Requesting
// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
@ -1287,13 +1286,12 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
// # Session Duration
//
// The GetSessionToken operation must be called by using the long-term Amazon
// Web Services security credentials of the Amazon Web Services account root
// user or an IAM user. Credentials that are created by IAM users are valid
// for the duration that you specify. This duration can range from 900 seconds
// (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
// of 43,200 seconds (12 hours). Credentials based on account credentials can
// range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
// default of 1 hour.
// Web Services security credentials of an IAM user. Credentials that are created
// by IAM users are valid for the duration that you specify. This duration can
// range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
// hours), with a default of 43,200 seconds (12 hours). Credentials based on
// account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds
// (1 hour), with a default of 1 hour.
//
// # Permissions
//
@ -1305,20 +1303,20 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
//
// - You cannot call any STS API except AssumeRole or GetCallerIdentity.
//
// We recommend that you do not call GetSessionToken with Amazon Web Services
// account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
// by creating one or more IAM users, giving them the necessary permissions,
// and using IAM users for everyday interaction with Amazon Web Services.
// The credentials that GetSessionToken returns are based on permissions associated
// with the IAM user whose credentials were used to call the operation. The
// temporary credentials have the same permissions as the IAM user.
//
// The credentials that are returned by GetSessionToken are based on permissions
// associated with the user whose credentials were used to call the operation.
// If GetSessionToken is called using Amazon Web Services account root user
// credentials, the temporary credentials have root user permissions. Similarly,
// if GetSessionToken is called using the credentials of an IAM user, the temporary
// credentials have the same permissions as the IAM user.
// Although it is possible to call GetSessionToken using the security credentials
// of an Amazon Web Services account root user rather than an IAM user, we do
// not recommend it. If GetSessionToken is called using root user credentials,
// the temporary credentials have root user permissions. For more information,
// see Safeguard your root user credentials and don't use them for everyday
// tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
// in the IAM User Guide
//
// For more information about using GetSessionToken to create temporary credentials,
// go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
// see Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
// in the IAM User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@ -1900,8 +1898,12 @@ type AssumeRoleWithSAMLInput struct {
// For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
// in the IAM User Guide.
//
// SAMLAssertion is a sensitive parameter and its value will be
// replaced with "sensitive" in string returned by AssumeRoleWithSAMLInput's
// String and GoString methods.
//
// SAMLAssertion is a required field
SAMLAssertion *string `min:"4" type:"string" required:"true"`
SAMLAssertion *string `min:"4" type:"string" required:"true" sensitive:"true"`
}
// String returns the string representation.
@ -2036,7 +2038,7 @@ type AssumeRoleWithSAMLOutput struct {
// IAM.
//
// The combination of NameQualifier and Subject can be used to uniquely identify
// a federated user.
// a user.
//
// The following pseudocode shows how the hash value is calculated:
//
@ -2266,8 +2268,12 @@ type AssumeRoleWithWebIdentityInput struct {
// the user who is using your application with a web identity provider before
// the application makes an AssumeRoleWithWebIdentity call.
//
// WebIdentityToken is a sensitive parameter and its value will be
// replaced with "sensitive" in string returned by AssumeRoleWithWebIdentityInput's
// String and GoString methods.
//
// WebIdentityToken is a required field
WebIdentityToken *string `min:"4" type:"string" required:"true"`
WebIdentityToken *string `min:"4" type:"string" required:"true" sensitive:"true"`
}
// String returns the string representation.
@ -2573,8 +2579,12 @@ type Credentials struct {
// The secret access key that can be used to sign requests.
//
// SecretAccessKey is a sensitive parameter and its value will be
// replaced with "sensitive" in string returned by Credentials's
// String and GoString methods.
//
// SecretAccessKey is a required field
SecretAccessKey *string `type:"string" required:"true"`
SecretAccessKey *string `type:"string" required:"true" sensitive:"true"`
// The token that users must pass to the service API to use the temporary credentials.
//
@ -2922,10 +2932,9 @@ type GetFederationTokenInput struct {
// The duration, in seconds, that the session should last. Acceptable durations
// for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
// (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
// using Amazon Web Services account root user credentials are restricted to
// a maximum of 3,600 seconds (one hour). If the specified duration is longer
// than one hour, the session obtained by using root user credentials defaults
// to one hour.
// using root user credentials are restricted to a maximum of 3,600 seconds
// (one hour). If the specified duration is longer than one hour, the session
// obtained by using root user credentials defaults to one hour.
DurationSeconds *int64 `min:"900" type:"integer"`
// The name of the federated user. The name is used as an identifier for the

7
vendor/github.com/aws/aws-sdk-go/service/sts/doc.go generated vendored
View file

@ -4,10 +4,9 @@
// requests to AWS Security Token Service.
//
// Security Token Service (STS) enables you to request temporary, limited-privilege
// credentials for Identity and Access Management (IAM) users or for users that
// you authenticate (federated users). This guide provides descriptions of the
// STS API. For more information about using this service, see Temporary Security
// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
// credentials for users. This guide provides descriptions of the STS API. For
// more information about using this service, see Temporary Security Credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
//
// See https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15 for more information on this service.
//