Bump botocore dependency specification (#1307)

Author: jakob-keller

CHANGES.rst

@@ -1,10 +1,11 @@
 Changes
 -------
 
-2.21.0 (2025-02-27)
+2.21.0 (2025-02-28)
 ^^^^^^^^^^^^^^^^^^^
 * make `AioDeferredRefreshableCredentials` subclass of `DeferredRefreshableCredentials`
 * make `AioSSOCredentialFetcher` subclass of `SSOCredentialFetcher`
+* bump botocore dependency specification
 
 2.20.1.dev0 (2025-02-24)
 ^^^^^^^^^^^^^^^^^^^^^^^^

aiobotocore/args.py

@@ -49,6 +49,7 @@ def get_client_args(
         configured_endpoint_url = final_args['configured_endpoint_url']
         signing_region = endpoint_config['signing_region']
         endpoint_region_name = endpoint_config['region_name']
+        account_id_endpoint_mode = config_kwargs['account_id_endpoint_mode']
 
         event_emitter = copy.copy(self._event_emitter)
         signer = AioRequestSigner(
@@ -107,6 +108,8 @@ def get_client_args(
             is_secure,
             endpoint_bridge,
             event_emitter,
+            credentials,
+            account_id_endpoint_mode,
         )
 
         # Copy the session's user agent factory and adds client configuration.
@@ -144,6 +147,8 @@ def _build_endpoint_resolver(
         is_secure,
         endpoint_bridge,
         event_emitter,
+        credentials,
+        account_id_endpoint_mode,
     ):
         if endpoints_ruleset_data is None:
             return None
@@ -168,6 +173,8 @@ def _build_endpoint_resolver(
             endpoint_bridge=endpoint_bridge,
             client_endpoint_url=endpoint_url,
             legacy_endpoint_url=endpoint.host,
+            credentials=credentials,
+            account_id_endpoint_mode=account_id_endpoint_mode,
         )
         # Client context params for s3 conflict with the available settings
         # in the `s3` parameter on the `Config` object. If the same parameter

aiobotocore/credentials.py

@@ -249,7 +249,7 @@ async def call(self):
 class AioCredentials(Credentials):
     async def get_frozen_credentials(self):
         return ReadOnlyCredentials(
-            self.access_key, self.secret_key, self.token
+            self.access_key, self.secret_key, self.token, self.account_id
         )
 
 
@@ -299,6 +299,19 @@ def token(self):
     def token(self, value):
         self._token = value
 
+    @property
+    def account_id(self):
+        # TODO: this needs to be resolved
+        raise NotImplementedError(
+            "missing call to self._refresh. "
+            "Use get_frozen_credentials instead"
+        )
+        return self._account_id
+
+    @account_id.setter
+    def account_id(self, value):
+        self._account_id = value
+
     async def _refresh(self):
         if not self.refresh_needed(self._advisory_refresh_timeout):
             return
@@ -347,7 +360,7 @@ async def _protected_refresh(self, is_mandatory):
             return
         self._set_from_data(metadata)
         self._frozen_credentials = ReadOnlyCredentials(
-            self._access_key, self._secret_key, self._token
+            self._access_key, self._secret_key, self._token, self._account_id
         )
         if self._is_expired():
             msg = (
@@ -370,6 +383,7 @@ def __init__(self, refresh_using, method, time_fetcher=_local_now):
         self._access_key = None
         self._secret_key = None
         self._token = None
+        self._account_id = None
         self._expiry_time = None
         self._time_fetcher = time_fetcher
         self._refresh_lock = asyncio.Lock()
@@ -399,13 +413,16 @@ async def _get_cached_credentials(self):
 
         creds = response['Credentials']
         expiration = _serialize_if_needed(creds['Expiration'], iso=True)
-        return {
+        credentials = {
             'access_key': creds['AccessKeyId'],
             'secret_key': creds['SecretAccessKey'],
             'token': creds['SessionToken'],
             'expiry_time': expiration,
+            'account_id': creds.get('AccountId'),
         }
 
+        return credentials
+
 
 class AioBaseAssumeRoleCredentialFetcher(
     BaseAssumeRoleCredentialFetcher, AioCachedCredentialFetcher
@@ -421,7 +438,9 @@ async def _get_credentials(self):
         kwargs = self._assume_role_kwargs()
         client = await self._create_client()
         async with client as sts:
-            return await sts.assume_role(**kwargs)
+            response = await sts.assume_role(**kwargs)
+            self._add_account_id_to_response(response)
+            return response
 
     async def _create_client(self):
         """Create an STS client using the source credentials."""
@@ -465,7 +484,9 @@ async def _get_credentials(self):
         # the token, explicitly configure the client to not sign requests.
         config = AioConfig(signature_version=UNSIGNED)
         async with self._client_creator('sts', config=config) as client:
-            return await client.assume_role_with_web_identity(**kwargs)
+            response = await client.assume_role_with_web_identity(**kwargs)
+            self._add_account_id_to_response(response)
+            return response
 
     def _assume_role_kwargs(self):
         """Get the arguments for assume role based on current configuration."""
@@ -498,6 +519,7 @@ async def load(self):
             secret_key=creds_dict['secret_key'],
             token=creds_dict.get('token'),
             method=self.METHOD,
+            account_id=creds_dict.get('account_id'),
         )
 
     async def _retrieve_credentials_using(self, credential_process):
@@ -528,6 +550,7 @@ async def _retrieve_credentials_using(self, credential_process):
                 'secret_key': parsed['SecretAccessKey'],
                 'token': parsed.get('SessionToken'),
                 'expiry_time': parsed.get('Expiration'),
+                'account_id': self._get_account_id(parsed),
             }
         except KeyError as e:
             raise CredentialRetrievalError(
@@ -573,13 +596,15 @@ async def load(self):
                     expiry_time,
                     refresh_using=fetcher,
                     method=self.METHOD,
+                    account_id=credentials['account_id'],
                 )
 
             return AioCredentials(
                 credentials['access_key'],
                 credentials['secret_key'],
                 credentials['token'],
                 method=self.METHOD,
+                account_id=credentials['account_id'],
             )
         else:
             return None
@@ -621,8 +646,13 @@ async def load(self):
                     config, self.ACCESS_KEY, self.SECRET_KEY
                 )
                 token = self._get_session_token(config)
+                account_id = self._get_account_id(config)
                 return AioCredentials(
-                    access_key, secret_key, token, method=self.METHOD
+                    access_key,
+                    secret_key,
+                    token,
+                    method=self.METHOD,
+                    account_id=account_id,
                 )
 
 
@@ -643,8 +673,13 @@ async def load(self):
                     profile_config, self.ACCESS_KEY, self.SECRET_KEY
                 )
                 token = self._get_session_token(profile_config)
+                account_id = self._get_account_id(profile_config)
                 return AioCredentials(
-                    access_key, secret_key, token, method=self.METHOD
+                    access_key,
+                    secret_key,
+                    token,
+                    method=self.METHOD,
+                    account_id=account_id,
                 )
         else:
             return None
@@ -748,8 +783,8 @@ async def _resolve_credentials_from_profile(self, profile_name):
         ):
             # This is only here for backwards compatibility. If this provider
             # isn't given a profile provider builder we still want to be able
-            # handle the basic static credential case as we would before the
-            # provile provider builder parameter was added.
+            # to handle the basic static credential case as we would before the
+            # profile provider builder parameter was added.
             return self._resolve_static_credentials_from_profile(profile)
         elif self._has_static_credentials(
             profile
@@ -920,6 +955,7 @@ async def _retrieve_or_fail(self):
             method=self.METHOD,
             expiry_time=_parse_if_needed(creds['expiry_time']),
             refresh_using=fetcher,
+            account_id=creds.get('account_id'),
         )
 
     def _create_fetcher(self, full_uri, *args, **kwargs):
@@ -941,6 +977,7 @@ async def fetch_creds():
                 'secret_key': response['SecretAccessKey'],
                 'token': response['Token'],
                 'expiry_time': response['Expiration'],
+                'account_id': response.get('AccountId'),
             }
 
         return fetch_creds
@@ -1004,6 +1041,7 @@ async def _get_credentials(self):
                     'Expiration': self._parse_timestamp(
                         credentials['expiration']
                     ),
+                    'AccountId': self._account_id,
                 },
             }
             return credentials

aiobotocore/session.py

@@ -4,7 +4,7 @@
 from botocore.exceptions import PartialCredentialsError
 from botocore.session import EVENT_ALIASES, ServiceModel
 from botocore.session import Session as _SyncSession
-from botocore.session import UnknownServiceError, copy
+from botocore.session import UnknownServiceError, copy, logger
 
 from . import __version__, retryhandler
 from .client import AioBaseClient, AioClientCreator
@@ -82,8 +82,12 @@ def _register_response_parser_factory(self):
             'response_parser_factory', AioResponseParserFactory()
         )
 
-    def set_credentials(self, access_key, secret_key, token=None):
-        self._credentials = AioCredentials(access_key, secret_key, token)
+    def set_credentials(
+        self, access_key, secret_key, token=None, account_id=None
+    ):
+        self._credentials = AioCredentials(
+            access_key, secret_key, token, account_id=account_id
+        )
 
     async def get_credentials(self):
         if self._credentials is None:
@@ -130,6 +134,7 @@ async def _create_client(
         aws_secret_access_key=None,
         aws_session_token=None,
         config=None,
+        aws_account_id=None,
     ):
         default_client_config = self.get_default_client_config()
         # If a config is provided and a default config is set, then
@@ -165,6 +170,7 @@ async def _create_client(
                 access_key=aws_access_key_id,
                 secret_key=aws_secret_access_key,
                 token=aws_session_token,
+                account_id=aws_account_id,
             )
         elif self._missing_cred_vars(aws_access_key_id, aws_secret_access_key):
             raise PartialCredentialsError(
@@ -174,6 +180,13 @@ async def _create_client(
                 ),
             )
         else:
+            if ignored_credentials := self._get_ignored_credentials(
+                aws_session_token, aws_account_id
+            ):
+                logger.debug(
+                    f"Ignoring the following credential-related values which were set without "
+                    f"an access key id and secret key on the session or client: {ignored_credentials}"
+                )
             credentials = await self.get_credentials()
         auth_token = self.get_auth_token()
         endpoint_resolver = self._get_internal_component('endpoint_resolver')

pyproject.toml

@@ -32,7 +32,7 @@ dynamic = ["version", "readme"]
 dependencies = [
     "aiohttp >= 3.9.2, < 4.0.0",
     "aioitertools >= 0.5.1, < 1.0.0",
-    "botocore >= 1.36.20, < 1.36.24", # NOTE: When updating, always keep `project.optional-dependencies` aligned
+    "botocore >= 1.37.0, < 1.37.2", # NOTE: When updating, always keep `project.optional-dependencies` aligned
     "python-dateutil >= 2.1, < 3.0.0",
     "jmespath >= 0.7.1, < 2.0.0",
     "multidict >= 6.0.0, < 7.0.0",
@@ -41,10 +41,10 @@ dependencies = [
 
 [project.optional-dependencies]
 awscli = [
-    "awscli >= 1.37.20, < 1.37.24",
+    "awscli >= 1.38.0, < 1.38.2",
 ]
 boto3 = [
-    "boto3 >= 1.36.20, < 1.36.24",
+    "boto3 >= 1.37.0, < 1.37.2",
 ]
 
 [project.urls]

tests/boto_tests/__init__.py

@@ -11,6 +11,7 @@
 # ANY KIND, either express or implied. See the License for the specific
 # language governing permissions and limitations under the License.
 
+import binascii
 import contextlib
 import os
 import random
@@ -27,6 +28,15 @@
 _LOADER = botocore.loaders.Loader()
 
 
+def random_chars(num_chars):
+    """Returns random hex characters.
+
+    Useful for creating resources with random names.
+
+    """
+    return binascii.hexlify(os.urandom(int(num_chars / 2))).decode('ascii')
+
+
 def create_session(**kwargs):
     # Create a Session object.  By default,
     # the _LOADER object is used as the loader