vKg,KSSKrSSKrSSKrSSKrSSKrSSKrSSKrSSKrSSKJ r SSK J r SSK J r SSKJr SSKJrJr SSKrSSKrSSKJr SSKJrJr SS KJr SS KJrJrJrJrJ r J!r!J"r"J#r#J$r$ SS K%J&r& SS K'J(r(J)r)J*r*J+r+J,r,J-r-J.r. \R^"\05r1\ "S /SQ5r2Sr3Sr4SGSjr5"SS5r6Sr7Sr8Sr9SHSjr:Sr;Sr"SS\>5r?"SS \?5r@"S!S"5rA"S#S$\A5rB"S%S&\B5rC"S'S(\B5rD"S)S*5rE"S+S,\E5rF"S-S.\E5rG"S/S0\E5rH"S1S2\E5rI"S3S4\E5rJ"S5S6\E5rK"S7S8\E5rL"S9S:\E5rM"S;S<\E5rN"S=S>5rO"S?S@\E5rP"SASB5rQ"SCSD\A5rR"SESF\E5rSg)IN) namedtuple)deepcopy)sha1parse)tzlocaltzutc)UNSIGNED)compat_shell_split total_seconds)Config) ConfigNotFoundCredentialRetrievalErrorInfiniteLoopConfigErrorInvalidConfigErrorMetadataRetrievalErrorPartialCredentialsErrorRefreshWithMFAUnsupportedErrorUnauthorizedSSOTokenErrorUnknownCredentialError)SSOTokenProvider)ContainerMetadataFetcherFileWebIdentityTokenLoaderInstanceMetadataFetcher JSONFileCacheSSOTokenLoaderparse_key_val_fileresolve_imds_endpoint_modeReadOnlyCredentials access_key secret_keytokeniXc ^TRS5=(d SnTRS5nTRS5nTR5RS5SLnTRS5[T5[TRS5S.nUc0n[ 5n[ 5n [[UUTR5US 9S 9n [TXS 9n [U4S j[TU5UU[XU /5U S 9n UU /n U RUUS9n[5[!5U U /nX-U-nU(a&UR#U5 [$R'S5 [)US9nU$)zCreate a default credential resolver. This creates a pre-configured credential resolver that includes the default lookup chain for credentials. profiledefaultmetadata_service_timeoutmetadata_service_num_attemptsNec2_metadata_service_endpointec2_metadata_v1_disabled)r*"ec2_metadata_service_endpoint_modeec2_credential_refresh_windowr+)timeout num_attempts user_agentconfig)iam_role_fetcher)cache region_namec>TR$N) full_configsessionsT/var/www/highfloat_scraper/venv/lib/python3.13/site-packages/botocore/credentials.py,create_credential_resolver..ms G//) load_configclient_creatorr3 profile_namecredential_sourcerprofile_provider_builderr@disable_env_varszWSkipping environment variable credential check because profile name was explicitly set. providers)get_config_variableinstance_variablesgetr!_DEFAULT_ADVISORY_REFRESH_TIMEOUT EnvProviderContainerProviderInstanceMetadataProviderrr0ProfileProviderBuilderAssumeRoleProvider_get_client_creatorCanonicalNameCredentialSourcerrFOriginalEC2Provider BotoProviderremoveloggerdebugCredentialResolver)r9r3r4r@metadata_timeoutr/rD imds_config env_providercontainer_providerinstance_metadata_providerrBassume_role_provider pre_profileprofile_providers post_profilerFresolvers` r:create_credential_resolverrbAs..y9FYL223MN../NOL11377 B$N*1)D)D +* /I / *K$+$?$? &%  K }=L*,!90$%))+  " 6u ./*7K@!9 /I J ":  K1::!); " L /,>I &  8 "I6H Or=cL\rSrSrSrS SjrS SjrSrSrSr S r S r S r g)rNaThis class handles the creation of profile based providers. NOTE: This class is only intended for internal use. This class handles the creation and ordering of the various credential providers that primarly source their configuration from the shared config. This is needed to enable sharing between the default credential chain and the source profile chain created by the assume role provider. Nc4XlX lX0lX@lgr6)_session_cache _region_name_sso_token_cache)selfr9r3r4sso_token_caches r:__init__ProfileProviderBuilder.__init__s  ' /r=cURUU5URU5URU5URU5UR U5/$r6)_create_web_identity_provider_create_sso_provider"_create_shared_credential_provider_create_process_provider_create_config_providerrjr@rDs r:rF ProfileProviderBuilder.providerssZ  . .    % %l 3  3 3L A  ) ), 7  ( ( 6  r=c ^[UU4SjS9$)Nc0>TRR$r6rfr7rjsr:r;AProfileProviderBuilder._create_process_provider.. 9 9r=)r@r>)ProcessProviderrjr@s` r:rr/ProfileProviderBuilder._create_process_providers%9  r=cLURRS5n[UUS9$)Ncredentials_file)r@creds_filename)rfrGSharedCredentialProvider)rjr@credential_files r:rq9ProfileProviderBuilder._create_shared_credential_providers*--;;TRR$r6rxrysr:r;FProfileProviderBuilder._create_web_identity_provider..r{r=)r>r?r3r@rD)!AssumeRoleWithWebIdentityProviderrPrfrhrgrts` r:ro4ProfileProviderBuilder._create_web_identity_providers909. t00++%-  r=c ^[U4SjTRRUTRTR[ TRTRUS9S9$)Nc0>TRR$r6rxrysr:r;=ProfileProviderBuilder._create_sso_provider..r{r=)r3r@)r>r?r@r3 token_cachetoken_provider) SSOProviderrf create_clientrgrirr}s` r:rp+ProfileProviderBuilder._create_sso_providersN9==66%++--+ ++)  r=)rgrhrfriNNNF) __name__ __module__ __qualname____firstlineno____doc__rlrFrrrqrsrorp__static_attributes__r=r:rNrNs1FJ0         r=rNc8[U5nUR5$r6)rbload_credentials)r9ras r:get_credentialsrs)'2H  $ $ &&r=cP[RR[55$r6)datetimenowrrr=r: _local_nowrs     ++r=cZ[U[R5(aU$[U5$r6) isinstancerr)values r:_parse_if_neededrs$%**++ <r=c[U[R5(a(U(aUR5$URS5$U$)Nz%Y-%m-%dT%H:%M:%S%Z)rr isoformatstrftime)risos r:_serialize_if_neededrs:%**++ ??$ $~~344 Lr=c^^UU4SjnU$)NcV>ST0nUR"S0UD6 TR"U40UD6$)Nr4r)updater) service_namekwargscreate_client_kwargsr4r9s r:r?+_get_client_creator..client_creators6 -{;##-f-$$\J5IJJr=r)r9r4r?s`` r:rPrPsK r=c^^UU4SjnU$)Ncj>TR"S0TD6nUSnUSUSUS[US5S.$)N Credentials AccessKeyIdSecretAccessKey SessionToken Expirationr!r"r# expiry_timer) assume_roler)response credentialsclientparamss r:refresh-create_assume_role_refresher..refreshsR%%//}- &m4%&78 0/ L0IJ   r=r)rrrs`` r:create_assume_role_refresherrs   Nr=c&"SS5nU"U5$)Nc \rSrSrSrSrSrg)/create_mfa_serial_refresher.._RefreshericXlSUlg)NF)_refresh_has_been_called)rjrs r:rl8create_mfa_serial_refresher.._Refresher.__init__ s#M$)D !r=cfUR(a [5eSUlUR5$NT)rrrrys r:__call__8create_mfa_serial_refresher.._Refresher.__call__$s*$$566$(D !==? "r=)rrN)rrrrrlrrrr=r: _Refresherrs  * #r=rr)actual_refreshrs r:create_mfa_serial_refresherrs # # n %%r=c.\rSrSrSrSSjrSrSrSrg) ri0aT Holds the credentials needed to authenticate requests. :param str access_key: The access key part of the credentials. :param str secret_key: The secret key part of the credentials. :param str token: The security token, valid only for session credentials. :param str method: A string which identifies where the credentials were found. Nc^XlX lX0lUcSnX@lUR 5 g)Nexplicit)r!r"r#method _normalize)rjr!r"r#rs r:rlCredentials.__init__;s*$$ >F  r=c[RRUR5Ul[RRUR5Ulgr6)botocorecompatensure_unicoder!r"rys r:rCredentials._normalizeFs8#//88I"//88Ir=cX[URURUR5$r6)rr!r"r#rys r:get_frozen_credentials"Credentials.get_frozen_credentialsPs"" OOT__djj  r=)r!rr"r#NN) rrrrrrlrrrrr=r:rr0s J r=rc(\rSrSrSr\r\r\ SS4Sjr Sr \ SSj5r \S5r\R S5r\S 5r\R S 5r\S 5r\R S 5rS rSSjrSrSrSr\S5rSrSrSrg)RefreshableCredentialsiVa] Holds the credentials needed to authenticate requests. In addition, it knows how to refresh itself. :param str access_key: The access key part of the credentials. :param str secret_key: The secret key part of the credentials. :param str token: The security token, valid only for session credentials. :param datetime expiry_time: The expiration time of the credentials. :param function refresh_using: Callback function to refresh the credentials. :param str method: A string which identifies where the credentials were found. :param function time_fetcher: Callback function to retrieve current time. Nc XPlXlX lX0lX@lXpl[ R"5UlX`l [XU5Ul UR5 UbXl U bXlggr6)_refresh_using _access_key _secret_key_token _expiry_time _time_fetcher threadingLock _refresh_lockrr_frozen_credentialsr_advisory_refresh_timeout_mandatory_refresh_timeout) rjr!r"r#r refresh_usingr time_fetcheradvisory_timeoutmandatory_timeouts r:rlRefreshableCredentials.__init__lsv,%% ')&^^- #6 E$     '-= *  (.? + )r=c[RRUR5Ul[RRUR5Ulgr6)rrrrrrys r:r!RefreshableCredentials._normalizes<#??99$:J:JK#??99$:J:JKr=c z0nUbXFS'UbXVS'U"SUSUSUSURUS5UUS.UD6nU$) Nrrr!r"r#r)r!r"r#rrrr)_expiry_datetime)clsmetadatarrrrrinstances r:create_from_metadata+RefreshableCredentials.create_from_metadatasx  ')9% &  (*;& '  - -7#,,Xm-DE'   r=c:UR5 UR$zWarning: Using this property can lead to race conditions if you access another property subsequently along the refresh boundary. Please use get_frozen_credentials instead. )rrrys r:r!!RefreshableCredentials.access_key r=cXlgr6)rrjrs r:r!r r=c:UR5 UR$r)rrrys r:r"!RefreshableCredentials.secret_keyrr=cXlgr6)rrs r:r"r rr=c:UR5 UR$r)rrrys r:r#RefreshableCredentials.tokens {{r=cXlgr6)rrs r:r#r s r=cRURUR5- n[U5$r6)rrr )rjdeltas r:_seconds_remaining)RefreshableCredentials._seconds_remainings&!!D$6$6$88U##r=cURcgUc URnUR5U:ag[R S5 g)aKCheck if a refresh is needed. A refresh is needed if the expiry time associated with the temporary credentials is less than the provided ``refresh_in``. If ``time_delta`` is not provided, ``self.advisory_refresh_needed`` will be used. For example, if your temporary credentials expire in 10 minutes and the provided ``refresh_in`` is ``15 * 60``, then this function will return ``True``. :type refresh_in: int :param refresh_in: The number of seconds before the credentials expire in which refresh attempts should be made. :return: True if refresh needed, False otherwise. Fz!Credentials need to be refreshed.T)rrrrUrV)rj refresh_ins r:refresh_needed%RefreshableCredentials.refresh_neededsJ(    $  77J  " " $ 2 89r=c URSS9$)Nr)r)rrys r: _is_expired"RefreshableCredentials._is_expireds""a"00r=cURUR5(dgURRS5(aURUR5(dURR 5 gURUR 5nUR US9 URR 5 gURUR 5(aOUR URUR 5(d SSS5 gUR SS9 SSS5 gg!URR 5 f=f!,(df  g=f)NF) is_mandatoryT)rrracquirereleaser_protected_refresh)rjis_mandatory_refreshs r:rRefreshableCredentials._refreshs3""4#A#ABB     % %e , , -**4+I+IJJ""**, (,':':33($''5I'J""**,  !@!@ A A##**4+J+JKK$#''T':$#B""**,$#s$ D5?*D51"EE5E E"cUR5nUR U5 [ UR URUR5Ul UR5(a"Sn[RU5 [U5eg![a+ U(aSOSn[RSUSS9 U(aegf=f)N mandatoryadvisoryzARefreshing temporary credentials failed during %s refresh period.Texc_infozLCredentials were refreshed, but the refreshed credentials are still expired.) r ExceptionrUwarning_set_from_datarrrrrr RuntimeError)rjrr period_namemsgs r:r)RefreshableCredentials._protected_refreshs **,H$ H%#6   d.. $       ;  NN3 s# # + )5+:K NN,    ! sB 2C?Cc[U5$r6r)time_strs r:r'RefreshableCredentials._expiry_datetime=s Xr=cz/SQnU(dUnOUVs/sH oDU;dM UPM nnU(a(Sn[URUSRU5-S9eUSUlUSUlUSUl[ US5Ul[RS UR5 UR5 gs snf) Nrz7Credential refresh failed, response did not contain: %s, provider error_msgr!r"r#rz(Retrieved credentials will expire at: %s) rrjoinr!r"r#rrrUrVr)rjdata expected_keys missing_keyskmessages r:r(%RefreshableCredentials._set_from_dataAsL (L'4F}! A}LF OG*!DIIl$;;  |,|,'] !$}"56 68I8I  !Gs B8B8c:UR5 UR$)aReturn immutable credentials. The ``access_key``, ``secret_key``, and ``token`` properties on this class will always check and refresh credentials if needed before returning the particular credentials. This has an edge case where you can get inconsistent credentials. Imagine this: # Current creds are "t1" tmp.access_key ---> expired? no, so return t1.access_key # ---- time is now expired, creds need refreshing to "t2" ---- tmp.secret_key ---> expired? yes, refresh and return t2.secret_key This means we're using the access key from t1 with the secret key from t2. To fix this issue, you can request a frozen credential object which is guaranteed not to change. The frozen credentials returned from this method should be used immediately and then discarded. The typical usage pattern would be:: creds = RefreshableCredentials(...) some_code = SomeSignerObject() # I'm about to sign the request. # The frozen credentials are only used for the # duration of generate_presigned_url and will be # immediately thrown away. request = some_code.sign_some_request( with_credentials=creds.get_frozen_credentials()) print("Signed request:", request) )rrrys r:r-RefreshableCredentials.get_frozen_credentialsXsD '''r=)rrrrrrrrrrr!rr"r#rr6)rrrrrrJr"_DEFAULT_MANDATORY_REFRESH_TIMEOUTrrrlr classmethodrpropertyr!setterr"r#rrrrr staticmethodrr(rrrr=r:rrVs   !B"D @:L  2  !!  !! \\$ D1;<%$N.#(r=rc<^\rSrSrSr\4SjrSU4SjjrSrU=r $)DeferredRefreshableCredentialsi~zqRefreshable credentials that don't require initial credentials. refresh_using will be called upon first access. cXlSUlSUlSUlSUlX0l[ R"5UlX l SUl gr6) rrrrrrrrrrr)rjrrrs r:rl'DeferredRefreshableCredentials.__init__sI+  )&^^- #' r=c>>URcg[TU] U5$r)rsuperr)rjr __class__s r:r-DeferredRefreshableCredentials.refresh_neededs"  # # +w%j11r=) rrrrrrrrrr6) rrrrrrrlrr __classcell__rIs@r:rDrD~s *%   r=cURUR;aO[URUR5nURU5(dU$[R S5 g)Nz6Credentials were found in cache, but they are expired.)rQrgrrrUrV)rjrns r:rl(CachedCredentialFetcher._load_from_cachesS ??dkk )T[[9:E##E**  Lr=cH[U5URUR'gr6)rrgrQ)rjrs r:rm'CachedCredentialFetcher._write_to_caches'/'9 DOO$r=cl[USS5n[U[5- 5nX0R:$)z!Check if credentials are expired.rr)rr rrS)rjrend_timesecondss r:r#CachedCredentialFetcher._is_expireds6#K $>|$LM:< 784444r=)rgrQrSr)rrrrrRrlrPrbrerirhrlrmrrrr=r:rNrNs5$+!<9* 8. , :5r=rNc>^\rSrSrSU4SjjrSrSrSrU=r$)BaseAssumeRoleCredentialFetcheric4>XlX lUc0UlO[U5UlURURS'URR S5UlSUlUR (dUR5 [TU]%XE5 g)NRoleArnRoleSessionNameF) _client_creator _role_arn_assume_kwargsrrI_role_session_name_using_default_session_name_generate_assume_role_namerHrl)rjr?role_arn extra_argsr3rTrIs r:rl(BaseAssumeRoleCredentialFetcher.__init__s .!  "$D "*:"6D )-I&"&"5"5"9"9:K"L+0(&&  + + - 6r=cS[[R"553UlURURS'SUlg)Nzbotocore-session-r}T)inttimerrrrys r:r:BaseAssumeRoleCredentialFetcher._generate_assume_role_names<$5c$))+6F5G"H151H1H-.+/(r=c4[UR5nUR(aUS SU;a[R"US5US'[R "USS9n[ URS55R5nURU5$){Create a predictable cache key for the current configuration. The cache key is intended to be compatible with file names. r}PolicyT) sort_keysutf-8) rrrjsonloadsdumpsrencode hexdigestrbrjargs argument_hashs r:rP1BaseAssumeRoleCredentialFetcher._create_cache_keys ++,  + +&' t "ZZX7DNzz$$/T[[12<<> ##M22r=)rr~rrrr) rrrrrlrrPrrKrLs@r:rzrzs" " 700 33r=rzcF^\rSrSrSU4SjjrSrSrSrSrU=r $)AssumeRoleCredentialFetcheric>X lXPlURc[RUl[TU]UUUUUS9 g)a) :type client_creator: callable :param client_creator: A callable that creates a client taking arguments like ``Session.create_client``. :type source_credentials: Credentials :param source_credentials: The credentials to use to create the client for the call to AssumeRole. :type role_arn: str :param role_arn: The ARN of the role to be assumed. :type extra_args: dict :param extra_args: Any additional arguments to add to the assume role request using the format of the botocore operation. Possible keys include, but may not be limited to, DurationSeconds, Policy, SerialNumber, ExternalId and RoleSessionName. :type mfa_prompter: callable :param mfa_prompter: A callable that returns input provided by the user (i.e raw_input, getpass.getpass, etc.). :type cache: dict :param cache: An object that supports ``__getitem__``, ``__setitem__``, and ``__contains__``. An example of this is the ``JSONFileCache`` class in aws-cli. :type expiry_window_seconds: int :param expiry_window_seconds: The amount of time, in seconds, Nrr3rT)_source_credentials _mfa_promptergetpassrHrl) rjr?source_credentialsrr mfa_prompterr3rTrIs r:rl$AssumeRoleCredentialFetcher.__init__sKR$6 )    %!(D    !"7  r=cfUR5nUR5nUR"S0UD6$)'Get credentials by calling assume role.r)_assume_role_kwargs_create_clientr)rjrrs r:re,AssumeRoleCredentialFetcher._get_credentialsFs2))+$$&!!+F++r=c[UR5nURS5nUbSUS3nURU5nXAS'URS5nUbXQS'U$)AGet the arguments for assume role based on current configuration. SerialNumberzEnter MFA code for z: TokenCodeDurationSeconds)rrrIr)rjassume_role_kwargs mfa_serialprompt token_codeduration_secondss r:r/AssumeRoleCredentialFetcher._assume_role_kwargsLsv%d&9&9:'++N;  !*:,b9F++F3J.8{ +-112CD  '4D0 1!!r=cURR5nURSURURUR S9$)z2Create an STS client using the source credentials.sts)aws_access_key_idaws_secret_access_keyaws_session_token)rrr~r!r"r#)rjfrozen_credentialss r:r*AssumeRoleCredentialFetcher._create_client^sM!55LLN## 0;;"4"?"?066 $  r=)rr)NNNN) rrrrrlrerrrrKrLs@r:rrs+ "4 l, "$  r=rc>^\rSrSrSU4SjjrSrSrSrU=r$)*AssumeRoleWithWebIdentityCredentialFetcheriic4>X l[TU] UUUUUS9 g)a :type client_creator: callable :param client_creator: A callable that creates a client taking arguments like ``Session.create_client``. :type web_identity_token_loader: callable :param web_identity_token_loader: A callable that takes no arguments and returns a web identity token str. :type role_arn: str :param role_arn: The ARN of the role to be assumed. :type extra_args: dict :param extra_args: Any additional arguments to add to the assume role request using the format of the botocore operation. Possible keys include, but may not be limited to, DurationSeconds, Policy, SerialNumber, ExternalId and RoleSessionName. :type cache: dict :param cache: An object that supports ``__getitem__``, ``__setitem__``, and ``__contains__``. An example of this is the ``JSONFileCache`` class in aws-cli. :type expiry_window_seconds: int :param expiry_window_seconds: The amount of time, in seconds, rN)_web_identity_token_loaderrHrl)rjr?web_identity_token_loaderrrr3rTrIs r:rl3AssumeRoleWithWebIdentityCredentialFetcher.__init__ls.H+D'   !"7  r=cUR5n[[S9nURSUS9nUR"S0UD6$)r)signature_versionrr1r)rr r r~assume_role_with_web_identity)rjrr1rs r:re;AssumeRoleWithWebIdentityCredentialFetcher._get_credentialssE))+(3%%eF%;33=f==r=cX[UR5nUR5nX!S'U$)rWebIdentityToken)rrr)rjridentity_tokens r:r>AssumeRoleWithWebIdentityCredentialFetcher._assume_role_kwargss0%d&9&9:88:1?-.!!r=)rr) rrrrrlrerrrKrLs@r:rris#", \>""r=rc2\rSrSrSrSrSSjrSrSrSr g)CredentialProvideriNcXlgr6r8)rjr9s r:rlCredentialProvider.__init__s r=cg)a& Loads the credentials from their source & sets them on the object. Subclasses should implement this method (by reading from disk, the environment, the network or wherever), returning ``True`` if they were found & loaded. If not found, this method should return ``False``, indictating that the ``CredentialResolver`` should fall back to the next available method. The default implementation does nothing, assuming the user has set the ``access_key/secret_key/token`` themselves. :returns: Whether credentials were found & set :rtype: Credentials Trrys r:loadCredentialProvider.loads"r=c/nUHnURX5 M U$![a [URUS9ef=f)Nr3cred_var)appendKeyErrorrMETHOD)rjmapping key_namesfoundkey_names r:_extract_creds_from_mapping.CredentialProvider._extract_creds_from_mappingsS!H  W./"  -![[8 s "Ar8r6) rrrrrCANONICAL_NAMErlrrrrr=r:rrs FN& r=rcT\rSrSrSr\R 4SjrSrSr \ S5r Sr g) r|izcustom-processc6XlX lSUlX0lgr6) _profile_name _load_config_loaded_config_popen)rjr@r>popens r:rlProcessProvider.__init__s)'" r=c^^TRmTcgTRT5nURS5b&[R UUU4SjTR 5$[ USUSURS5TR S9$)Nrc&>TRT5$r6)_retrieve_credentials_using)credential_processrjsr:r;&ProcessProvider.load..s889KLr=r!r"r#)r!r"r#r)_credential_processrrIrrrr)rj creds_dictrs` @r:rProcessProvider.loads!55  % 556HI >>- ( 4)>>L   !,/!,/..);;   r=cv[U5nURU[R[RS9nUR 5upEUR S:wa#[ URURS5S9e[RRRURS55nURSS5nUS:wa[ URSUS 3S9eUS US URS 5URS 5S.$![an[ URSU3S9eSnAff=f)N)stdoutstderrrrr2VersionzzUnsupported version 'z8' for credential process provider, supported versions: 1rrrrrz"Missing required key in response: )r r subprocessPIPE communicate returncoderrdecoderrrrrIr) rjr process_listprrparsedversiones r:r+ProcessProvider._retrieve_credentials_usings5**<= KK    <<1 * g0F %%++FMM',BC**Y(DE a<*+G9567  $]3$%67N3%zz,7    *>qcB  s'*D D8D33D8cURcUR5UlURRS05RUR05nURS5$)Nprofilesr)rrrIr)rjprofile_configs r:r#ProcessProvider._credential_processsa    &"&"3"3"5D ,,00R@DD    !!"677r=)rrrrN) rrrrrrPopenrlrrr@rrrr=r:r|r|s4 F8B8H8H  (!F88r=r|c(\rSrSrSrSrSrSrSrg)rMi$ziam-roleEc2InstanceMetadatacXlgr6 _role_fetcher)rjr2s r:rl!InstanceMetadataProvider.__init__(s-r=cURnUR5nU(dg[RSUS5 [R UUR URS9nU$)Nz#Found credentials from IAM Role: %s role_namerr)rretrieve_iam_role_credentialsrUinforrr)rjfetcherrrns r:rInstanceMetadataProvider.load+sj$$88: 18K3H ';; ;;!??<   r=rN) rrrrrrrlrrrr=r:rMrM$s F*N.r=rMcL\rSrSrSrSrSrSrSS/rSr SS jr S r S r S r Srg )rKiAenv EnvironmentAWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SECURITY_TOKENAWS_SESSION_TOKENAWS_CREDENTIAL_EXPIRATIONNcbUc[RnXlURU5Ulg)aq :param environ: The environment variables (defaults to ``os.environ`` if no value is provided). :param mapping: An optional mapping of variable names to environment variable names. Use this if you want to change the mapping of access_key->AWS_ACCESS_KEY_ID, etc. The dict can have up to 3 keys: ``access_key``, ``secret_key``, ``session_token``. N)r_environ_build_mapping_mapping)rjrrs r:rlEnvProvider.__init__Ks) ?jjG ++G4 r=c0nUc>URUS'URUS'URUS'URUS'U$UR SUR5US'UR SUR5US'UR SUR5US'[ US[ 5(d US/US'UR SUR5US'U$)Nr!r"r#r) ACCESS_KEY SECRET_KEYTOKENS EXPIRY_TIMErIrlist)rjr var_mappings r:rEnvProvider._build_mapping[s ?(,K %(,K %#';;K )-)9)9K &)0 doo)K %)0 doo)K %$+;;w #DK k'2D99(3G(<'= G$)0t//*K &r=c `URRURSS5nU(a~[R S5 UR 5nU"SS9nUSnUb,[ U5n[USUSUS UUURS 9$[USUSUS URS 9$g) z; Search for credentials in explicit environment variables. r!z+Found credentials in environment variables.F)require_expiryrNr"r#)rrr) rrIrrUr _create_credentials_fetcherrrrr)rjr!r rrs r:rEnvProvider.loadss \\%%dmmL&A2F  KKE F668G!7K%m4K&#K0 - - -(");; L)L)G${{  r=ch^^^URmURmURmSUUU4SjjnU$)Nc>0nTRTSS5nU(d [T TSS9eX!S'TRTSS5nU(d [T TSS9eX1S'SUS'TSH"nTRUS5nU(dMXQS' O SUS'TRTSS5nU(aXaS'U(aU(d [T TSS9eU$)Nr!r%rr"r#r)rIr) r&rr!r" token_env_varr#rrrrs r:riBEnvProvider._create_credentials_fetcher..fetch_credentialssK W\%:B?J-#gl.C)3 % W\%:B?J-#gl.C)3 %#'K !(!1  M265+0( "2 *.K &!++gm&'F  r=cJSUR;a[RRURS5nUR U5nUR U;aE[ RS5 X R nX Rn[X4URS9$gg)z> Search for a credential file used by original EC2 CLI tools. r1z)Found credentials in AWS_CREDENTIAL_FILE.r'N) r5r_path expanduserr6rrUr rrr)rj full_pathrnr!r"s r:rOriginalEC2Provider.loads !DMM 1** 34ILL+E%' GH"??3 "??3 ":$++NN (r=)r5r6r) rrrrrr CRED_FILE_ENVrrrlrrrr=r:rRrRs% #F N)M!JJr=rRcB\rSrSrSrSrSrSrSS/rS S jr S r S r S r g)rizshared-credentials-fileSharedCredentialsrraws_security_tokenrNclXlUcSnX lUc[RRnX0lg)Nr')_creds_filenamerr configloaderraw_config_parse _ini_parser)rjrr@ ini_parsers r:rl!SharedCredentialProvider.__init__s6-  $L)  !..??J%r=cURUR5nURU;aXRnURU;am[ R SUR5 URX RUR5up4URU5n[X4XPRS9$gg![a gf=f)Nz0Found credentials in shared credentials file: %sr') rFrCrrrrUr rr_get_session_tokenrr)rjavailable_credsr1r!r"r#s r:rSharedCredentialProvider.loads "..t/C/CDO    0$%7%78F&( F((*.)I)IOOT__*& //7"E++) 1  sB:: CCc@URHnX!;dM Xs $ gr6r)rjr1 token_envvars r:rJ+SharedCredentialProvider._get_session_token s KKL%++(r=)rCrFrr) rrrrrrrrrrlrrJrrr=r:rrs2 &F(N$J(J#$7 8F&(,r=rcF\rSrSrSrSrSrSrSrSS/r SS jr S r S r S r g )riz0INI based config provider with profile sections.z config-file SharedConfigrrrArNcbXlX lUc[RRnX0lg)z :param config_filename: The session configuration scoped to the current profile. This is available via ``session.config``. :param profile_name: The name of the current profile. :param config_parser: A config parser callable. N)_config_filenamerrrDr>_config_parser)rjrr@ config_parsers r:rlConfigProvider.__init__s-!0)  $11==M+r=cURUR5nURUS;aUSURnURU;am[ R SUR5 URX RUR5up4URU5n[X4XPRS9$gg![a gf=f)zZ If there is are credentials in the configuration associated with the session, use those. Nrz$Credentials found in config file: %sr') rUrTrrrrUr rrrJrr)rjr7rr!r"r#s r:rConfigProvider.load,s  --d.C.CDK   Z!8 8(4T5G5GHN.0 :))*.)I)I"OOT__*& //?"E++1#  sC C Cc@URHnX!;dM Xs $ gr6rN)rjr token_names r:rJ!ConfigProvider._get_session_tokenFs++J+%11&r=)rTrUrr6)rrrrrrrrrrrlrrJrrr=r:rrs5: F#N$J(J#$7 8F ,42r=rc@\rSrSrSrSrSrSS/rSrSr S S jr S r S r g )rSiLz boto-config Boto2Config BOTO_CONFIGz /etc/boto.cfgz~/.botorrNc|Uc[RnUc[RRnXlX lgr6)r_rrrDrEr5rF)rjrrGs r:rlBotoProvider.__init__Us2 ?jjG  !..??J %r=cURUR;aURUR/nO URnUHnURU5nSU;dMUSnUR U;dM4[ RSU5 URX@R UR5upV[XVURS9s $ g![a Mf=f)z+ Look for credentials in boto config file. rz)Found credentials in boto config file: %sr'N) BOTO_CONFIG_ENVr5DEFAULT_CONFIG_FILENAMESrFrrrUr rrrr)rjpotential_locationsrar1rr!r"s r:rBotoProvider.load]s   4== 0#'==1E1E#F"G "&"?"? +H ))(3&$]3 ??k1KKCX.2-M-M#__doo.*J'"t{{,"  sC CC)r5rFr) rrrrrrrcrdrrrlrrrr=r:rSrSLs0 F"N#O /;$J(J&r=rSc\rSrSrSrSrSrSrSr\ RSS4Sjr Sr S r S r S rS rS rSrSrSrSrSrSrSrg)rOiy assume-roleNrweb_identity_token_filer$cX0lXlX lX@lXPl0UlX`lXplUR/Ulg)a :type load_config: callable :param load_config: A function that accepts no arguments, and when called, will return the full configuration dictionary for the session (``session.full_config``). :type client_creator: callable :param client_creator: A factory function that will create a client when called. Has the same interface as ``botocore.session.Session.create_client``. :type cache: dict :param cache: An object that supports ``__getitem__``, ``__setitem__``, and ``__contains__``. An example of this is the ``JSONFileCache`` class in the CLI. :type profile_name: str :param profile_name: The name of the profile. :type prompter: callable :param prompter: A callable that returns input provided by the user (i.e raw_input, getpass.getpass, etc.). :type credential_sourcer: CanonicalNameCredentialSourcer :param credential_sourcer: A credential provider that takes a configuration, which is used to provide the source credentials for the STS call. N) r3rr~r _prompterr_credential_sourcer_profile_provider_builder_visited_profiles)rjr>r?r3r@prompterrArBs r:rlAssumeRoleProvider.__init__sJV ' .)!!#5 )A&"&"4"4!5r=cUR5UlURRS05nURUR05nUR U5(aUR UR5$gNr)rrrIr_has_assume_role_config_vars_load_creds_via_assume_role)rjrr&s r:rAssumeRoleProvider.loadsn"//1&&**:r:,,t1126  , ,W 5 533D4F4FG G 6r=cLURU;=(a URU;$r6)ROLE_CONFIG_VARWEB_IDENTITY_TOKE_FILE_VARrjr&s r:rs/AssumeRoleProvider._has_assume_role_config_varss*  G + ;  + +7 : r=c URU5nURX!5n0nURS5nUbXTS'URS5nUbXdS'URS5nUbXtS'URS5nUbXS'[URUUS UUR UR S 9n U Rn Ub [U 5n [URU [S 9$) Nrole_session_namer} external_id ExternalIdrrrrr)r?rrrrr3)rrr) _get_role_config_resolve_source_credentialsrIrr~rkr3rirrDrr) rjr@ role_configrrr|r}rrr  refreshers r:rt.AssumeRoleProvider._load_creds_via_assume_roles ++L9 !==   'OO,?@  (,=( )!oom4  "'2| $ __\2  !)3~ &&??+=>  ',<( )-//1 ,!**  --  !3I>I .;;##  r=cURRS05nX!nURS5nUSnURS5nURS5nURS5nURS5n URS5n UUUU UUS .n U b[U 5U S'UbUb [ S US 3S 9eUcUc[ UR S S9eUbURX5 U $URX5 U $![a Nbf=f)z?Retrieves and validates the role configuration for the profile.rsource_profilercredential_sourcerr}r|r)rr}rr|rr The profile "z5" contains both source_profile and credential_source.r4z#source_profile or credential_sourcer) rrIr ValueErrorrrr_validate_credential_source_validate_source_profile) rjr@rr&rrrrr}r|rrs r:r#AssumeRoleProvider._get_role_configsW&&**:r:( %56:&#KK(;<[[. kk-0 #KK(;<";;'9:!&$!2,!2    ' 256F2G ./  (^-G$#L>2<<   &>+A)>  *  , ,\ M  ) ), G-  sC== D  D cURc[SUSUS3S9eURRU5(d[SUSUS3S9eg)NzThe credential_source "z" is specified in profile "z)", but no source provider was configured.rzThe credential source "z" referenced in profile "z" is not valid.)rlr is_supported)rjparent_profilers r:r.AssumeRoleProvider._validate_credential_source5s  # # +$./@.AB$$2#34=> ''445FGG$./@.AB$$2#33CE Hr=cX[URU5URU5/5$r6)any_has_static_credentialsrsrys r:_source_profile_has_credentials2AssumeRoleProvider._source_profile_has_credentialsFs0,,W511':   r=cURRS05nX#;a[SUSUS3S9eX2nX R;agX!:wa[ UURS9eUR U5(d[ UURS9eg)NrzThe source_profile "z" referenced in the profile "z" does not exist.r)rvisited_profiles)rrIrrnrr)rjparent_profile_namesource_profile_namerrs r:r+AssumeRoleProvider._validate_source_profileNs&&**:r:  .$+,?+@A%%8$99KM "6 &<&< <   5)2!%!7!7 ++N;;)2!%!7!7 # UH oT;v M g7fr6r).0 static_keyr&s r: =AssumeRoleProvider._has_static_credentials..vsG;Z(;)r)rjr& static_keyss ` r:r*AssumeRoleProvider._has_static_credentialsts.0CD G;GGGr=cURS5nUbURX25$USnURRU5 UR U5$)Nrr)rI _resolve_credentials_from_sourcernr!_resolve_credentials_from_profile)rjrr@rrs r:r.AssumeRoleProvider._resolve_source_credentialsxs`'OO,?@  (88! %%56 %%n555nEEr=cURRS05nX!nURU5(a"UR(dUR U5$URU5(dUR U5(dGURR USS9n[U5nUR5nUc Sn[Xq-S9eU$URU5$)NrTrCz.The source profile "%s" must have credentials.r) rrIrrm(_resolve_static_credentials_from_profilersrFrWrrrt)rjr@rr&r_ profile_chainr error_messages r:r4AssumeRoleProvider._resolve_credentials_from_profiles&&**:r:(  ( ( 1 122 @@I I  ) )   227;; $ > > H H)!%!I! //@AM'88:K"D)+: // ==r=c[USUSURS5S9$![a"n[UR[ U5S9eSnAff=f)Nrrrr r)rrIrrrstr)rjr&rs r:r;AssumeRoleProvider._resolve_static_credentials_from_profiles_ "#67"#:;kk"56   )s1v  s" AA  Ac\URRU5nUc [USU3S9eU$)Nz@No credentials found in credential_source referenced in profile r2)rlrr)rjrr@rs r:r3AssumeRoleProvider._resolve_credentials_from_sourcesL..AA    **"".1 r=) r~rlrrrrmrkrnr3)rrrrrrrwrxEXPIRY_WINDOW_SECONDSrrlrrsrtrrrrrrrrrrrr=r:rOrOysy F N O!:$!%<6|H  * X/b" $LH F>B r=rOcV\rSrSrSrSrSSSS.rSSjrS rS r S r S r S r Sr g)rizassume-role-with-web-identityNAWS_WEB_IDENTITY_TOKEN_FILEAWS_ROLE_SESSION_NAME AWS_ROLE_ARN)rir|rclX@lXlX lX0lSUlXPlUc[ nX`lgr6)r3rr~r_profile_config_disable_env_varsr_token_loader_cls)rjr>r?r@r3rDtoken_loader_clss r:rl*AssumeRoleWithWebIdentityProvider.__init__s; '-)#!1  #9 !1r=c"UR5$r6)_assume_role_with_web_identityrys r:r&AssumeRoleWithWebIdentityProvider.loads2244r=cURcCUR5nURS05nURUR05UlURRU5$rr)rrrIr)rjkey loaded_configrs r:_get_profile_config5AssumeRoleWithWebIdentityProvider._get_profile_configs^    ' --/M$((R8H#+<<0B0BB#GD ##'',,r=cUR(agURRU5nU(a'U[R;a[RU$gr6)r_CONFIG_TO_ENV_VARrIr_r)rjrenv_keys r:_get_env_config1AssumeRoleWithWebIdentityProvider._get_env_configsD  ! !))--c2 w"**,::g& &r=cPURU5nUbU$URU5$r6)rr)rjr env_values r: _get_config-AssumeRoleWithWebIdentityProvider._get_configs/((-   '',,r=cNURS5nU(dgURU5nURS5nU(d Sn[US9e0nURS5nUbXeS'[URUUUUR S9n[ URURS9$) NrirzThe provided profile or the current environment is configured to assume role with web identity but has no role ARN configured. Ensure that the profile has the role_arnconfiguration set or the AWS_ROLE_ARN env var is set.rr|r})r?rrrr3r ) rrrrr~r3rDrri)rj token_path token_loaderrr4rr|r s r:r@AssumeRoleWithWebIdentityProvider._assume_role_with_web_identitys%%&?@ --j9 ##J/H  %y9 9  ,,-@A  (,=( )<//&2!**  .;;!33  r=)r~rrrrrr3)NFN)rrrrrrrrlrrrrrrrr=r:rrsF ,FN#@4"2&5-- " r=rc8\rSrSrSrSrSrSrSrSr Sr g ) rQicXlgr6 _providersrjrFs r:rl'CanonicalNameCredentialSourcer.__init__s#r=cZXRVs/sHo"RPM sn;$s snf)aValidates a given source name. :type source_name: str :param source_name: The value of credential_source in the config file. This is the canonical name of the credential provider. :rtype: bool :returns: True if the credential provider is supported, False otherwise. )rr)rj source_namers r:r+CanonicalNameCredentialSourcer.is_supporteds'IA//IIIIs(cURU5n[U[5(aUR5$UR 5$)zLoads source credentials based on the provided configuration. :type source_name: str :param source_name: The value of credential_source in the config file. This is the canonical name of the credential provider. :rtype: Credentials ) _get_providerrrWrr)rjrsources r:r1CanonicalNameCredentialSourcer.source_credentials+s=##K0 f0 1 1**, ,{{}r=cURU5nUR5S;a%URS5nUbUcU$[X2/5$Uc [ US9eU$)zReturn a credential provider by its canonical name. :type canonical_name: str :param canonical_name: The canonical name of the provider. :raises UnknownCredentialError: Raised if no credential provider by the provided name is found. ) sharedconfigsharedcredentialsrhname)_get_provider_by_canonical_namelower_get_provider_by_methodrWr)rjcanonical_namer3r]s r:r,CanonicalNameCredentialSourcer._get_provider9st77G    !%J J#'#?#? #N #/ #// *+?*JKK  (n= =r=cURH>nURnU(dMUR5UR5:XdM<Us $ g)zReturn a credential provider by its canonical name. This function is strict, it does not attempt to address compatibility issues. N)rrr)rjrr3rs r:r>CanonicalNameCredentialSourcer._get_provider_by_canonical_name_s= H**Dt (<(<(>> (r=cRURHnURU:XdMUs $ g)z0Return a credential provider by its METHOD name.N)rr)rjrr3s r:r6CanonicalNameCredentialSourcer._get_provider_by_methodks!H&((r=rN) rrrrrlrrrrrrrr=r:rQrQs"$ J $L   r=rQcZ\rSrSrSrSrSrSrSrSr SS jr S r S r S r S rSrSrSrg)rLirzcontainer-role EcsContainer&AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"AWS_CONTAINER_CREDENTIALS_FULL_URI!AWS_CONTAINER_AUTHORIZATION_TOKEN&AWS_CONTAINER_AUTHORIZATION_TOKEN_FILENc\Uc[RnUc [5nXlX lgr6)r_rrr5_fetcher)rjrr s r:rlContainerProvider.__init__zs' ?jjG ?.0G  r=cURUR;dURUR;aUR5$gr6)ENV_VARr5 ENV_VAR_FULL_retrieve_or_failrys r:rContainerProvider.loads: <<4== (D,=,=,N))+ +-Or=c NUR5(a3URRURUR5nOURUR nUR U5nU"5n[USUSUSUR[US5US9$)Nr!r"r#r)r!r"r#rrr) _provided_relative_urirfull_urlr5rr_create_fetcherrrr)rjfull_urir rns r:r#ContainerProvider._retrieve_or_fails  & & ( (}}--dmmDLL.IJH}}T%6%67H&&x0 %\*\*.;;(})=>!   r=cpSnURUR;a>URURn[U5nUR5nSSS5 O3URUR;aURURnUbUR U5 SU0$g!,(df  N'=f)N Authorization)ENV_VAR_AUTH_TOKEN_FILEr5openreadENV_VAR_AUTH_TOKEN_validate_auth_token)rj auth_tokenauth_token_file_path token_files r:_build_headers ContainerProvider._build_headerss  ' '4== 8#'==1M1M#N *+z'__. ,+  $ $ 5t'>'>?J  !  % %j 1#Z0 0 " ,+s B'' B5c2SU;dSU;a [S5eg)N  z,Auth token value is not a legal header value)r)rjrs r:r&ContainerProvider._validate_auth_tokens" : !3KL L"4r=c^^UU4SjnU$)Nc>TR5nTRRTUS9nUSUSUSUS S .$![a7n[R SUSS9 [ TR[U5S9eSnAff=f) N)headersz'Error retrieving container metadata: %sTr$r2rrTokenrr) r rretrieve_full_urirrUrVrrr)rrrrrjs r: fetch_creds6ContainerProvider._create_fetcher..fetch_credss --/==::g;'}5&'89!'*' 5  *  =q4/![[CF  s*A B 2A<<Br)rjrrrrs`` r:r!ContainerProvider._create_fetchers (r=c4URUR;$r6)rr5rys r:r(ContainerProvider._provided_relative_uris||t}},,r=)r5rr)rrrrrrrrrrrlrrr rrrrrr=r:rLrLrsF F#N6G7L<F ,  1M.-r=rLc>\rSrSrSrSrSrSrSrSr Sr S r g ) rWicXlg)zA :param providers: A list of ``CredentialProvider`` instances. NrErs r:rlCredentialResolver.__init__s #r=cURVs/sHo3RPM snRU5nURR XB5 gs snf![a [ US9ef=f)a Inserts a new instance of ``CredentialProvider`` into the chain that will be tried before an existing one. :param name: The short name of the credentials you'd like to insert the new credentials before. (ex. ``env`` or ``config``). Existing names & ordering can be discovered via ``self.available_methods``. :type name: string :param cred_instance: An instance of the new ``Credentials`` object you'd like to add to the chain. :type cred_instance: A subclass of ``Credentials`` rN)rFrindexrrinsert)rjrcredential_providerroffsets r: insert_before CredentialResolver.insert_befores_ 4(,71hh7==dCF f:8 4(d3 3 4sAAAAA+cdURU5nURRUS-U5 g)a Inserts a new type of ``Credentials`` instance into the chain that will be tried after an existing one. :param name: The short name of the credentials you'd like to insert the new credentials after. (ex. ``env`` or ``config``). Existing names & ordering can be discovered via ``self.available_methods``. :type name: string :param cred_instance: An instance of the new ``Credentials`` object you'd like to add to the chain. :type cred_instance: A subclass of ``Credentials`` rN)_get_provider_offsetrFr )rjrr!r"s r: insert_afterCredentialResolver.insert_afters-**40 fqj*=>r=cURVs/sHo"RPM nnX;agURU5nURRU5 gs snf)z Removes a given ``Credentials`` instance from the chain. :param name: The short name of the credentials instance to remove. :type name: string N)rFrrpop)rjrravailable_methodsr"s r:rTCredentialResolver.removesO04~~>~!XX~>  ( "((. 6" ?sAc>URURU5$)zReturn a credential provider by name. :type name: str :param name: The name of the provider. :raises UnknownCredentialError: Raised if no credential provider by the provided name is found. )rFr&)rjrs r: get_providerCredentialResolver.get_providers~~d77=>>r=cURVs/sHo"RPM snRU5$s snf![a [ US9ef=f)Nr)rFrrrr)rjrrs r:r&'CredentialResolver._get_provider_offset sJ 4&*nn5nHHn5;;DA A5 4(d3 3 4s;6;;AcURH:n[RSUR5 UR 5nUcM8Us $ g)z_ Goes through the credentials chain, returning the first ``Credentials`` that could be loaded. zLooking for credentials via: %sN)rFrUrVrr)rjr3rns r:r#CredentialResolver.load_credentialss@ H LL:HOO LMMOE  'r=rEN) rrrrrlr#r'rTr.r&rrrr=r:rWrWs%#;(?" # ?4 r=rWcL^\rSrSrSrSU4SjjrSrSrSrSr U=r $) SSOCredentialFetcheri'z%Y-%m-%dT%H:%M:%SZc >XPlX lX0lX@lXlX`lXlXl[T U]%Xx5 gr6) r~ _sso_region _role_name _account_id _start_url _token_loader_token_provider_sso_session_namerHrl) rj start_url sso_regionr  account_idr?rr3rTrsso_session_namerIs r:rlSSOCredentialFetcher.__init__*s@ .%#%#)-!1 6r=c2URURS.nUR(aURUS'OURUS'[R "USSS9n[ URS55R5nURU5$)r)roleName accountId sessionNamestartUrlT),r[)r separatorsr) r8r9r=r:rrrrrrbrs r:rP&SSOCredentialFetcher._create_cache_keyAs ))   ! !"&"8"8D #D  zz$$:FT[[12<<> ##M22r=cUS- n[RRU[55nURUR5$)Ng@@)r fromtimestampr r_UTC_DATE_FORMAT)rj timestamp_mstimestamp_seconds timestamps r:_parse_timestamp%SSOCredentialFetcher._parse_timestampWs?(61%%334EuwO !!$"7"788r=c[[URS9nURSUS9nUR(a5URR 5nUR 5RnOURUR5SnURURUS.nUR"S 0UD6nUSnSUSUSUS UR!US 5S .S .nU$!URRa [5ef=f)z4Get credentials by calling SSO get role credentials.)rr4ssor accessToken)rDrErUroleCredentials accessKeyIdsecretAccessKey sessionTokenro)rrrr) ProviderTyperr)r r r7r~r< load_tokenget_frozen_tokenr#r;r:r8r9get_role_credentials exceptionsUnauthorizedExceptionrrQ)rjr1rinitial_token_datar#rrrs r:re%SSOCredentialFetcher._get_credentials]s&&(( %%eF%;   !%!5!5!@!@!B &779??E&&t7 FE))    .22r?r@r3rrs r:rlSSOProvider.__init__sG  '(A(ABK'- =E '-)r=c^ UR5nURS05nURnURUR05m URS05n[U 4SjUR55(agUR T U5upV0n/nUR U-n U H!n X;aXZXz'MURU 5 M# U(a SRU5n [SUSU 3S9eU$)Nr sso_sessionsc3*># UH oT;v M g7fr6r)rcrs r:r/SSOProvider._load_sso_config..s -O^ #-Orr1rzB" is configured to use SSO but is missing required configuration: r) rrIrall_PROFILE_REQUIRED_CONFIG_VARS_resolve_sso_session_reference_ALL_REQUIRED_CONFIG_VARSrr5r) rjrrr@rlresolved_config extra_reqsr1missing_config_varsall_required_configs config_varmissingrs @r:_load_sso_configSSOProvider._load_sso_configs))+  $$Z4)) !d&8&8"=$((<   -1-O-O   &*&I&I L' # #== J.J,%4%@"#**:6 / ii 34G$#L>2>>EYH   r=cURS5nUcUS4$X2;aSUS3n[US9eUR5nX#nUR5H5upxURXx5U:waSUSXWSUS 3n[US9eXU'M7 US 4$) N sso_sessionrz+The specified sso-session does not exist: ""rzThe value for z" is inconsistent between profile (z) and sso-session (z).)r})rIrcopyitems) rjrrlrAr4r1r9rxvals r:rr*SSOProvider._resolve_sso_session_references)--m<  #!2% %  /EFVEWWXYI$y9 9$$&0&}}OJzz**c1$ZL1 & 233Fse2O)9==!$:  /'''r=c 4UR5nU(dgUSUSUSUSUR[URS9URS.nSU;aUSUS'UR US '[ S 0UD6n[URURS 9$) Nrfr?rdre)r3)r>r?r r@r?rr3r}rArr r) rzr~rrir3r<r5rDrri)rj sso_configfetcher_kwargs sso_fetchers r:rSSOProvider.loads**, $O4$\2#O4$%56"22*1B1BCZZ  J &1;M1JN- ./3/C/CN+ ,*<^< -;;%77  r=)r~rrrir<r3r)rrrrrr_r:r;r5rhrq_SSO_REQUIRED_CONFIG_VARSrsrlrzrrrrrr=r:rrsr F77--  S&%1%!! &(AA*("H(. r=rrr)Trrrloggingr_rrr collectionsrrrhashlibrdateutil.parserr dateutil.tzrr botocore.compatrbotocore.configloaderr r r botocore.configr botocore.exceptionsrrrrrrrrrbotocore.tokensrbotocore.utilsrrrrrrr getLoggerrrUrr>rJrbrNrrrrrPrrrrrDrNrzrrrr|rMrKrRrrrSrOrrQrLrWr5rrr=r:rs   "!&="   -   8 $ @&-"$+!]@J J Z' ,   &$# # Le([e(P 2%;2.B5B5J23&=23jW "AW t@"#@"F++\G8(G8T1:{!${!| , F+,1+,\92'92x*%*ZE+EP V (:V rU U pN-*N-baaHW2Wtx $x r=