Add account_id_endpoint_mode and consume account_id in ruleset #3345
Conversation
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## account-id-endpoint-routing #3345 +/- ##
==============================================================
Coverage ? 93.08%
==============================================================
Files ? 66
Lines ? 14556
Branches ? 0
==============================================================
Hits ? 13549
Misses ? 1007
Partials ? 0 ☔ View full report in Codecov by Sentry. |
botocore/args.py
Outdated
| ) | ||
|
|
||
| signature_version = config_kwargs.get('signature_version') | ||
| if signature_version is botocore.UNSIGNED: |
There was a problem hiding this comment.
I know the AWS CLI has the --no-sign-request option. I believe this gets handled a bit differently. We should confirm if this logic also handles this case or not.
There was a problem hiding this comment.
Hmm, you're right. Did a quick investigation and it seems like the CLI uses the disable_signing handler which returns botocore.UNSIGNED for a no_sign_request. However, this is a triggered by an event so the logic here would not handle this case. I will look into it further.
There was a problem hiding this comment.
Nit: if we wind up going with this logic, it should be the first thing in this method. It will override the rest of the work we have done in this function, so it makes sense to do this early in the method
There was a problem hiding this comment.
I agree. Will update this in next revision.
alexgromero
force-pushed
the
account-id-endpoint-routing
branch
from
1882453 to
17f262a
Compare
alexgromero
force-pushed
the
consume-account-id-in-ruleset
branch
from
185d1ac to
9384ed9
Compare
alexgromero
force-pushed
the
consume-account-id-in-ruleset
branch
from
dfb5c0c to
e9606f7
Compare
alexgromero
merged commit 8764f68
into
boto:account-id-endpoint-routing
Account ID Endpoint Mode
This PR introduces the
account_id_endpoint_modeconfiguration setting, which determines the client’s behavior for account ID based endpoint routing. When enabled and configured in a service’s ruleset, the endpoint resolver will attempt to resolve the account ID as an input parameter to the endpoint provider. The valid values for this setting are:preferred: The endpoint should include the account ID if available.disabled: The endpoint will not include the account ID, even if available.required: The endpoint must include the account ID. An exception will be raised if the account ID is unavailable.If no value is provided, the default behavior will be
preferred.Consuming Account ID in the Ruleset
This PR also adds support for consuming the account ID in the ruleset during endpoint resolution. Specifically, the following built-in parameters will now be resolved:
AWS::Auth::AccountId: The AWS account ID that can be optionally configured for the SDK client.AWS::Auth::AccountIdEndpointMode: The setting that determines whether the endpoint should include the account ID.Account ID will be treated as a deferred property, using the
get_deferred_propertymethod in theCredentialsclass. This ensures that the account ID is resolved only when needed, deferring the resource-intensive resolution of account ID tied toDeferredRefreshableCredentialsuntil endpoint resolution time. This approach avoids unnecessary credential fetches during client initialization and aligns with the behavior of deferred credentials.