Merge branch 'release-1.44.76'

aws-sdk-python-automation · aws-sdk-python-automation · commit 82c8a85603f2 · 2026-04-08T23:31:03.000Z
* release-1.44.76: Bumping version to 1.44.76 Update changelog based on model updates Allow SSEC bucket decryption in s3 integ tests (#10203) Tighten file permissions for virtual MFA bootstrap output (#10194) Tighten file permissions when writing credentials in CodeArtifact login.py (#10191)
diff --git a/.changes/1.44.76.json b/.changes/1.44.76.json
@@ -0,0 +1,52 @@
+[
+  {
+    "category": "``backup``",
+    "description": "Adding EKS specific backup vault notification types for AWS Backup.",
+    "type": "api-change"
+  },
+  {
+    "category": "``drs``",
+    "description": "This changes adds support for modifying the replication configuration to support data replication using IPv6.",
+    "type": "api-change"
+  },
+  {
+    "category": "``ecr``",
+    "description": "Add UnableToListUpstreamImageReferrersException in ListImageReferrers",
+    "type": "api-change"
+  },
+  {
+    "category": "``endpoint-rules``",
+    "description": "Update endpoint-rules command to latest version",
+    "type": "api-change"
+  },
+  {
+    "category": "``ivs-realtime``",
+    "description": "Adds support for Amazon IVS real-time streaming redundant ingest.",
+    "type": "api-change"
+  },
+  {
+    "category": "``marketplace-discovery``",
+    "description": "AWS Marketplace Discovery API provides an interface that enables programmatic access to the AWS Marketplace catalog, including searching and browsing listings, retrieving product details and fulfillment options, and accessing public and private offer pricing and terms.",
+    "type": "api-change"
+  },
+  {
+    "category": "``medialive``",
+    "description": "MediaLive is adding support for MediaConnect Router by supporting a new output type called MEDIACONNECT ROUTER. This new output type will provide seamless encrypted transport between your MediaLive channel and MediaConnect Router.",
+    "type": "api-change"
+  },
+  {
+    "category": "``outposts``",
+    "description": "Add AWS Outposts APIs to view renewal pricing options and submit renewal requests for Outpost contracts",
+    "type": "api-change"
+  },
+  {
+    "category": "CodeArtifact",
+    "description": "Tighten file permissions when writing credentials in CodeArtifact login",
+    "type": "bugfix"
+  },
+  {
+    "category": "``iam``",
+    "description": "Tighten file permissions for virtual MFA bootstrap output",
+    "type": "bugfix"
+  }
+]
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,21 @@
 CHANGELOG
 =========
 
+1.44.76
+=======
+
+* api-change:``backup``: Adding EKS specific backup vault notification types for AWS Backup.
+* api-change:``drs``: This changes adds support for modifying the replication configuration to support data replication using IPv6.
+* api-change:``ecr``: Add UnableToListUpstreamImageReferrersException in ListImageReferrers
+* api-change:``endpoint-rules``: Update endpoint-rules command to latest version
+* api-change:``ivs-realtime``: Adds support for Amazon IVS real-time streaming redundant ingest.
+* api-change:``marketplace-discovery``: AWS Marketplace Discovery API provides an interface that enables programmatic access to the AWS Marketplace catalog, including searching and browsing listings, retrieving product details and fulfillment options, and accessing public and private offer pricing and terms.
+* api-change:``medialive``: MediaLive is adding support for MediaConnect Router by supporting a new output type called MEDIACONNECT ROUTER. This new output type will provide seamless encrypted transport between your MediaLive channel and MediaConnect Router.
+* api-change:``outposts``: Add AWS Outposts APIs to view renewal pricing options and submit renewal requests for Outpost contracts
+* bugfix:CodeArtifact: Tighten file permissions when writing credentials in CodeArtifact login
+* bugfix:``iam``: Tighten file permissions for virtual MFA bootstrap output
+
+
 1.44.75
 =======
 
diff --git a/awscli/__init__.py b/awscli/__init__.py
@@ -18,7 +18,7 @@
 
 import os
 
-__version__ = '1.44.75'
+__version__ = '1.44.76'
 
 #
 # Get our data path to be added to botocore's search path
diff --git a/awscli/customizations/codeartifact/login.py b/awscli/customizations/codeartifact/login.py
@@ -183,7 +183,17 @@ def _update_netrc_entry(self, hostname, new_entry, netrc_path):
             if new_contents == contents:
                 new_contents = self._append_netrc_entry(new_contents, new_entry)
 
-            with open(netrc_path, 'w') as f:
+            fd = os.open(netrc_path,
+                         os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+           
+            try:
+                os.chmod(netrc_path, 0o600) # Ensure secure perms on pre-existing files
+            except OSError as e:
+                uni_print('Unable to set file permissions '
+                          'for %s: %s%s' % (netrc_path, e, os.linesep),
+                          sys.stderr)
+
+            with os.fdopen(fd, 'w') as f:
                 f.write(new_contents)
 
     def _create_netrc_file(self, netrc_path, new_entry):
@@ -631,7 +641,17 @@ def login(self, dry_run=False):
             sys.stdout.write(pypi_rc_str)
             sys.stdout.write(os.linesep)
         else:
-            with open(self.pypi_rc_path, 'w+') as fp:
+            fd = os.open(self.pypi_rc_path,
+                         os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)
+          
+            try:
+                os.chmod(self.pypi_rc_path, 0o600) # Ensure secure perms on pre-existing files
+            except OSError as e:
+                uni_print('Unable to set file permissions '
+                          'for %s: %s%s' % (self.pypi_rc_path, e, os.linesep), 
+                          sys.stderr)
+            
+            with os.fdopen(fd, 'w') as fp:
                 fp.write(pypi_rc_str)
 
             self._write_success_message('twine')
diff --git a/awscli/customizations/iamvirtmfa.py b/awscli/customizations/iamvirtmfa.py
@@ -22,43 +22,55 @@
 to the specified file.  It will also remove the two bootstrap data
 fields from the response.
 """
-import base64
 
-from awscli.customizations.arguments import StatefulArgument
-from awscli.customizations.arguments import resolve_given_outfile_path
-from awscli.customizations.arguments import is_parsed_result_successful
+import base64
+import os
 
+from awscli.compat import compat_open
+from awscli.customizations.arguments import (
+    StatefulArgument,
+    is_parsed_result_successful,
+    resolve_given_outfile_path,
+)
 
 CHOICES = ('QRCodePNG', 'Base32StringSeed')
-OUTPUT_HELP = ('The output path and file name where the bootstrap '
-               'information will be stored.')
-BOOTSTRAP_HELP = ('Method to use to seed the virtual MFA.  '
-                  'Valid values are: %s | %s' % CHOICES)
+OUTPUT_HELP = (
+    'The output path and file name where the bootstrap '
+    'information will be stored.'
+)
+BOOTSTRAP_HELP = (
+    'Method to use to seed the virtual MFA.  '
+    'Valid values are: %s | %s' % CHOICES
+)
 
 
 class FileArgument(StatefulArgument):
-
     def add_to_params(self, parameters, value):
         # Validate the file here so we can raise an error prior
         # calling the service.
         value = resolve_given_outfile_path(value)
         super(FileArgument, self).add_to_params(parameters, value)
 
 
-class IAMVMFAWrapper(object):
-
+class IAMVMFAWrapper:
     def __init__(self, event_handler):
         self._event_handler = event_handler
         self._outfile = FileArgument(
-            'outfile', help_text=OUTPUT_HELP, required=True)
+            'outfile', help_text=OUTPUT_HELP, required=True
+        )
         self._method = StatefulArgument(
-            'bootstrap-method', help_text=BOOTSTRAP_HELP,
-            choices=CHOICES, required=True)
+            'bootstrap-method',
+            help_text=BOOTSTRAP_HELP,
+            choices=CHOICES,
+            required=True,
+        )
         self._event_handler.register(
             'building-argument-table.iam.create-virtual-mfa-device',
-            self._add_options)
+            self._add_options,
+        )
         self._event_handler.register(
-            'after-call.iam.CreateVirtualMFADevice', self._save_file)
+            'after-call.iam.CreateVirtualMFADevice', self._save_file
+        )
 
     def _add_options(self, argument_table, **kwargs):
         argument_table['outfile'] = self._outfile
@@ -71,7 +83,9 @@ def _save_file(self, parsed, **kwargs):
         outfile = self._outfile.value
         if method in parsed['VirtualMFADevice']:
             body = parsed['VirtualMFADevice'][method]
-            with open(outfile, 'wb') as fp:
+            with compat_open(outfile, 'wb', access_permissions=0o600) as fp:
+                if hasattr(os, 'fchmod'):
+                    os.fchmod(fp.fileno(), 0o600)
                 fp.write(base64.b64decode(body))
             for choice in CHOICES:
                 if choice in parsed['VirtualMFADevice']:
diff --git a/doc/source/conf.py b/doc/source/conf.py
@@ -52,7 +52,7 @@
 # The short X.Y version.
 version = '1.44.'
 # The full version, including alpha/beta/rc tags.
-release = '1.44.75'
+release = '1.44.76'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/setup.cfg b/setup.cfg
@@ -3,7 +3,7 @@ universal = 0
 
 [metadata]
 requires_dist =
-        botocore==1.42.85
+        botocore==1.42.86
         docutils>=0.18.1,<=0.19
         s3transfer>=0.16.0,<0.17.0
         PyYAML>=3.10,<6.1
diff --git a/setup.py b/setup.py
@@ -24,7 +24,7 @@ def find_version(*file_paths):
 
 
 install_requires = [
-    'botocore==1.42.85',
+    'botocore==1.42.86',
     'docutils>=0.18.1,<=0.19',
     's3transfer>=0.16.0,<0.17.0',
     'PyYAML>=3.10,<6.1',
diff --git a/tests/functional/iam/test_create_virtual_mfa_device.py b/tests/functional/iam/test_create_virtual_mfa_device.py
@@ -11,25 +11,26 @@
 # distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
-from awscli.testutils import BaseAWSCommandParamsTest
 import os
 
+from awscli.testutils import BaseAWSCommandParamsTest, skip_if_windows
 
-class TestCreateVirtualMFADevice(BaseAWSCommandParamsTest):
 
+class TestCreateVirtualMFADevice(BaseAWSCommandParamsTest):
     prefix = 'iam create-virtual-mfa-device'
 
     def setUp(self):
         super(TestCreateVirtualMFADevice, self).setUp()
         self.parsed_response = {
             'ResponseMetadata': {
                 'HTTPStatusCode': 200,
-                'RequestId': 'requset-id'
+                'RequestId': 'requset-id',
             },
             "VirtualMFADevice": {
                 "Base32StringSeed": (
                     "VFpYTVc2V1lIUFlFRFczSVhLUlpRUTJRVFdUSFRNRDNTQ0c3"
-                    "TkZDUVdQWDVETlNWM0IyUENaQVpWTEpQTlBOTA=="),
+                    "TkZDUVdQWDVETlNWM0IyUENaQVpWTEpQTlBOTA=="
+                ),
                 "SerialNumber": "arn:aws:iam::419278470775:mfa/fiebaz",
                 "QRCodePNG": (
                     "iVBORw0KGgoAAAANSUhEUgAAAPoAAAD6CAIAAAAHjs1qAAAFi"
@@ -74,12 +75,13 @@ def setUp(self):
                     "R3EVwF8FdBHcR3EVwF8Fd5F/+AgASajf850wfAAAAAElFTkSu"
                     "QmCC"
                 ),
-            }
+            },
         }
 
     def getpath(self, filename):
-        return os.path.join(os.path.abspath(os.path.dirname(__file__)),
-                            filename)
+        return os.path.join(
+            os.path.abspath(os.path.dirname(__file__)), filename
+        )
 
     def remove_file_if_exists(self, filename):
         if os.path.isfile(filename):
@@ -91,7 +93,8 @@ def test_base32(self):
         cmdline = self.prefix
         cmdline += ' --virtual-mfa-device-name fiebaz'
         cmdline += (
-            ' --outfile %s --bootstrap-method Base32StringSeed' % outfile)
+            ' --outfile %s --bootstrap-method Base32StringSeed' % outfile
+        )
         result = {"VirtualMFADeviceName": 'fiebaz'}
         self.assert_params_for_cmd(cmdline, result)
         self.assertTrue(os.path.exists(outfile))
@@ -145,7 +148,8 @@ def test_bad_response(self):
             },
             'ResponseMetadata': {
                 'HTTPStatusCode': 409,
-                'RequestId': 'requset-id'}
+                'RequestId': 'requset-id',
+            },
         }
         self.http_response.status_code = 409
         cmdline = self.prefix
@@ -155,4 +159,34 @@ def test_bad_response(self):
         self.assert_params_for_cmd(
             cmdline,
             stderr_contains=self.parsed_response['Error']['Message'],
-            expected_rc=255)
+            expected_rc=255,
+        )
+
+    @skip_if_windows("Permissions test not valid on Windows.")
+    def test_output_file_permissions(self):
+        outfile = self.getpath('fiebaz_perms.b32')
+        self.addCleanup(self.remove_file_if_exists, outfile)
+        cmdline = self.prefix
+        cmdline += ' --virtual-mfa-device-name fiebaz'
+        cmdline += (
+            ' --outfile %s --bootstrap-method Base32StringSeed' % outfile
+        )
+        result = {"VirtualMFADeviceName": 'fiebaz'}
+        self.assert_params_for_cmd(cmdline, result)
+        self.assertEqual(os.stat(outfile).st_mode & 0xFFF, 0o600)
+
+    @skip_if_windows("Permissions test not valid on Windows.")
+    def test_output_file_permissions_existing_file(self):
+        outfile = self.getpath('fiebaz_perms_existing.b32')
+        self.addCleanup(self.remove_file_if_exists, outfile)
+        with open(outfile, 'wb') as f:
+            f.write(b'existing')
+        os.chmod(outfile, 0o644)
+        cmdline = self.prefix
+        cmdline += ' --virtual-mfa-device-name fiebaz'
+        cmdline += (
+            ' --outfile %s --bootstrap-method Base32StringSeed' % outfile
+        )
+        result = {"VirtualMFADeviceName": 'fiebaz'}
+        self.assert_params_for_cmd(cmdline, result)
+        self.assertEqual(os.stat(outfile).st_mode & 0xFFF, 0o600)
diff --git a/tests/integration/customizations/s3/test_plugin.py b/tests/integration/customizations/s3/test_plugin.py
@@ -87,6 +87,21 @@ def setup_module():
     s3.delete_public_access_block(
         Bucket=_SHARED_BUCKET
     )
+    s3.put_bucket_encryption(
+        Bucket=_SHARED_BUCKET,
+        ServerSideEncryptionConfiguration={
+            'Rules': [
+                {
+                    'ApplyServerSideEncryptionByDefault': {
+                        'SSEAlgorithm': 'AES256',
+                    },
+                    'BlockedEncryptionTypes': {
+                        'EncryptionType': ['NONE'],
+                    },
+                }
+            ],
+        },
+    )
 
     # Validate that "_NON_EXISTENT_BUCKET" doesn't exist.
     waiter = s3.get_waiter('bucket_not_exists')
diff --git a/tests/unit/customizations/codeartifact/test_adapter_login.py b/tests/unit/customizations/codeartifact/test_adapter_login.py

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@`
`18`	`18`
`19`	`19`	`import os`
`20`	`20`
`21`		`-__version__ = '1.44.75'`
	`21`	`+__version__ = '1.44.76'`
`22`	`22`
`23`	`23`	`#`
`24`	`24`	`# Get our data path to be added to botocore's search path`