Bump botocore dependency specification

Author: jakob-keller

CHANGES.rst

@@ -3,7 +3,7 @@ Changes
 
 2.24.1 (2025-08-09)
 ^^^^^^^^^^^^^^^^^^^
-* relax botocore dependency specification
+* bump botocore dependency specification
 
 2.24.0 (2025-07-31)
 ^^^^^^^^^^^^^^^^^^^

aiobotocore/credentials.py

@@ -5,8 +5,9 @@
 from copy import deepcopy
 
 import botocore.compat
+import dateutil.parser
 from botocore import UNSIGNED
-from botocore.compat import compat_shell_split
+from botocore.compat import compat_shell_split, total_seconds
 from botocore.config import Config
 from botocore.credentials import (
     _DEFAULT_ADVISORY_REFRESH_TIMEOUT,
@@ -1048,7 +1049,16 @@ async def _get_credentials(self):
                 initial_token_data = self._token_provider.load_token()
                 token = (await initial_token_data.get_frozen_token()).token
             else:
-                token = self._token_loader(self._start_url)['accessToken']
+                token_dict = self._token_loader(self._start_url)
+                token = token_dict['accessToken']
+
+                # raise an UnauthorizedSSOTokenError if the loaded legacy token
+                # is expired to save a call to GetRoleCredentials with an
+                # expired token.
+                expiration = dateutil.parser.parse(token_dict['expiresAt'])
+                remaining = total_seconds(expiration - self._time_fetcher())
+                if remaining <= 0:
+                    raise UnauthorizedSSOTokenError()
 
             kwargs = {
                 'roleName': self._role_name,

pyproject.toml

@@ -32,7 +32,7 @@ dynamic = ["version", "readme"]
 dependencies = [
     "aiohttp >= 3.9.2, < 4.0.0",
     "aioitertools >= 0.5.1, < 1.0.0",
-    "botocore >= 1.39.9, < 1.39.15", # NOTE: When updating, always keep `project.optional-dependencies` aligned
+    "botocore >= 1.39.15, < 1.40.1", # NOTE: When updating, always keep `project.optional-dependencies` aligned
     "python-dateutil >= 2.1, < 3.0.0",
     "jmespath >= 0.7.1, < 2.0.0",
     "multidict >= 6.0.0, < 7.0.0",
@@ -41,10 +41,10 @@ dependencies = [
 
 [project.optional-dependencies]
 awscli = [
-    "awscli >= 1.41.9, < 1.41.15",
+    "awscli >= 1.41.15, < 1.42.1",
 ]
 boto3 = [
-    "boto3 >= 1.39.9, < 1.39.15",
+    "boto3 >= 1.39.15, < 1.40.1",
 ]
 httpx = [
     "httpx >= 0.25.1, < 0.29"

tests/botocore_tests/unit/test_credentials.py

@@ -1089,14 +1089,18 @@ async def ssl_credential_fetcher_setup():
         self.start_url = 'https://d-92671207e4.awsapps.com/start'
         self.role_name = 'test-role'
         self.account_id = '1234567890'
-        self.access_token = 'some.sso.token'
+        self.access_token = {
+            'accessToken': 'some.sso.token',
+            'expiresAt': '2018-10-18T22:26:40Z',
+        }
         # This is just an arbitrary point in time we can pin to
         self.now = datetime(2008, 9, 23, 12, 26, 40, tzinfo=tzutc())
         # The SSO endpoint uses ms whereas the OIDC endpoint uses seconds
         self.now_timestamp = 1222172800000
+        self.mock_time_fetcher = mock.Mock(return_value=self.now)
 
         self.loader = mock.Mock(spec=SSOTokenLoader)
-        self.loader.return_value = {'accessToken': self.access_token}
+        self.loader.return_value = self.access_token
         self.fetcher = AioSSOCredentialFetcher(
             self.start_url,
             self.sso_region,
@@ -1105,11 +1109,13 @@ async def ssl_credential_fetcher_setup():
             self.mock_session.create_client,
             token_loader=self.loader,
             cache=self.cache,
+            time_fetcher=self.mock_time_fetcher,
         )
 
         tc = TestCase()
         self.assertEqual = tc.assertEqual
         self.assertRaises = tc.assertRaises
+        self.assertFalse = tc.assertFalse
         yield self
 
 
@@ -1292,7 +1298,7 @@ async def test_sso_credential_fetcher_can_fetch_credentials(
     expected_params = {
         'roleName': self.role_name,
         'accountId': self.account_id,
-        'accessToken': self.access_token,
+        'accessToken': self.access_token['accessToken'],
     }
     expected_response = {
         'roleCredentials': {
@@ -1334,7 +1340,7 @@ async def test_sso_cred_fetcher_raises_helpful_message_on_unauthorized_exception
     expected_params = {
         'roleName': self.role_name,
         'accountId': self.account_id,
-        'accessToken': self.access_token,
+        'accessToken': self.access_token['accessToken'],
     }
     self.stubber.add_client_error(
         'get_role_credentials',
@@ -1346,6 +1352,31 @@ async def test_sso_cred_fetcher_raises_helpful_message_on_unauthorized_exception
             await self.fetcher.fetch_credentials()
 
 
+async def test_sso_cred_fetcher_expired_legacy_token_has_expected_behavior(
+    ssl_credential_fetcher_setup,
+):
+    self = ssl_credential_fetcher_setup
+    # Mock the current time to be in the future after the access token has expired
+    now = datetime(2018, 10, 19, 12, 26, 40, tzinfo=tzutc())
+    mock_client = mock.AsyncMock()
+    create_mock_client = mock.Mock(return_value=mock_client)
+    fetcher = AioSSOCredentialFetcher(
+        self.start_url,
+        self.sso_region,
+        self.role_name,
+        self.account_id,
+        create_mock_client,
+        token_loader=self.loader,
+        cache=self.cache,
+        time_fetcher=mock.Mock(return_value=now),
+    )
+    # since the cached token is expired, an UnauthorizedSSOTokenError should be
+    # raised and GetRoleCredentials should not be called.
+    with self.assertRaises(botocore.exceptions.UnauthorizedSSOTokenError):
+        await fetcher.fetch_credentials()
+    self.assertFalse(mock_client.get_role_credentials.called)
+
+
 # from TestSSOProvider
 @pytest.fixture
 async def sso_provider_setup():

tests/test_patches.py

@@ -407,7 +407,7 @@ def test_protocol_parsers():
         (
             SSOCredentialFetcher._get_credentials,
             {
-                '13ac3b73e0745dfeaa934a8873179ca6c22a164f',
+                'd15db30acdb7295a055e89b6c3bc077847e9b37c',
             },
         ),
         (