Upgrade AWS v2 SDK to 2.30.38 (#124738)

Adopts fix for https://github.com/aws/aws-sdk-java-v2/issues/5754, removing the need for read permissions of sensitive files in `${HOME}/.aws`.
2025-04-17 20:05:09 -04:00 · 2025-03-13 20:38:39 +00:00 · 2025-03-13 20:38:39 +00:00 · d5d81a57db
commit d5d81a57db
parent fd7866a2f8
7 changed files with 85 additions and 92 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -226,5 +226,8 @@ indent_size = 2
 [*.{xsd,xml}]
 indent_size = 4

+[verification-metadata.xml]
+indent_size = 3
+
 [*.{csv,sql}-spec]
 trim_trailing_whitespace = false
--- a/build-tools-internal/version.properties
+++ b/build-tools-internal/version.properties
@ -18,7 +18,7 @@ netty             = 4.1.118.Final
 commons_lang3     = 3.9
 google_oauth_client = 1.34.1
 awsv1sdk            = 1.12.746
-awsv2sdk            = 2.28.13
+awsv2sdk            = 2.30.38
 reactive_streams    = 1.0.4

 antlr4            = 4.13.1
--- a/docs/changelog/124738.yaml
+++ b/docs/changelog/124738.yaml
@ -0,0 +1,5 @@
+pr: 124738
+summary: Upgrade AWS v2 SDK to 2.30.38
+area: Machine Learning
+type: upgrade
+issues: []
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@ -4679,129 +4679,129 @@
            <sha256 value="880c9d896e4b74a06c549c15ca496450165d6909fa15d7e662bee8f6a66d7afa" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="annotations" version="2.28.13">
-         <artifact name="annotations-2.28.13.jar">
-            <sha256 value="f8f0df5ee1fcfef0381d167ae50d85ce635b7e5b32d5d620bbb8019f183c6b41" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="annotations" version="2.30.38">
+         <artifact name="annotations-2.30.38.jar">
+            <sha256 value="64d8c2bcccd33c20ccdbafa101b01d8e0f750c4e4bd227b0b765046f601eb944" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="auth" version="2.28.13">
-         <artifact name="auth-2.28.13.jar">
-            <sha256 value="494db83a2a06f09ba6717bb7fff07d50eb85b0b0d51904bf76601ee48e728741" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="auth" version="2.30.38">
+         <artifact name="auth-2.30.38.jar">
+            <sha256 value="22d59f9af8111be5219eb33ef480d84c616565913da57cb4eac686076fea370e" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="aws-core" version="2.28.13">
-         <artifact name="aws-core-2.28.13.jar">
-            <sha256 value="8dd71bedb30d0a4a857cb9e5b30a48e81a66dd9381c13537c2f4639248adba60" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="aws-core" version="2.30.38">
+         <artifact name="aws-core-2.30.38.jar">
+            <sha256 value="ec404c92a17f324ef4b08cd11122cdcc3a7c472615f993904c1a100df0d00223" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="aws-json-protocol" version="2.28.13">
-         <artifact name="aws-json-protocol-2.28.13.jar">
-            <sha256 value="63adac3a637c67f779cc56099e264f1cdd2fc4ac85c27e281b2cad53a693f7d2" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="aws-json-protocol" version="2.30.38">
+         <artifact name="aws-json-protocol-2.30.38.jar">
+            <sha256 value="b62be02560a46135181342afc9fb2d99373a9f04f384caf30863e2e7fe5b3892" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="bedrockruntime" version="2.28.13">
-         <artifact name="bedrockruntime-2.28.13.jar">
-            <sha256 value="9ff1571e87a11114407eade316e4439b63275283ff49b6aaf52549c37d8e6a92" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="bedrockruntime" version="2.30.38">
+         <artifact name="bedrockruntime-2.30.38.jar">
+            <sha256 value="4424437b49fdf263ea460f4da634d3279ada7f4763827d74fea48c0f8f2afea3" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="checksums" version="2.28.13">
-         <artifact name="checksums-2.28.13.jar">
-            <sha256 value="b4d452f8ceddf0e9a4874a9cfd65e62c257fef4c2b3b942893f590e09e945eca" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="checksums" version="2.30.38">
+         <artifact name="checksums-2.30.38.jar">
+            <sha256 value="38d051e2c6aa4ea08ccf758adc7f30323503d9c759b4862f7f5e5b20a4871a37" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="checksums-spi" version="2.28.13">
-         <artifact name="checksums-spi-2.28.13.jar">
-            <sha256 value="20dfb45d582c175e48aa50237fd44704e31e91418b5d3da1092508dbcb9a4d11" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="checksums-spi" version="2.30.38">
+         <artifact name="checksums-spi-2.30.38.jar">
+            <sha256 value="82d97bcbb18d8f369b00c9971ca8c24ad94769d20836e0c4f86ebcdfea994cdb" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="endpoints-spi" version="2.28.13">
-         <artifact name="endpoints-spi-2.28.13.jar">
-            <sha256 value="b18dd1d66f03bf5e192ab51d7f3a8139e5bf1e7bab27501b00338f1d8e260f61" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="endpoints-spi" version="2.30.38">
+         <artifact name="endpoints-spi-2.30.38.jar">
+            <sha256 value="80620e3020a29871073a8a4efbcaa4d546667eeb92dfd478de808dca7e0500aa" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="http-auth" version="2.28.13">
-         <artifact name="http-auth-2.28.13.jar">
-            <sha256 value="aeb18af3ba2c8b60b1012122737dc613e1b8d68558d69da301ba1c6a19e12593" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="http-auth" version="2.30.38">
+         <artifact name="http-auth-2.30.38.jar">
+            <sha256 value="ec16c0da3df9d5f0b13e469054d824b8a7a6ea4b910ec423fefac794043e22b0" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="http-auth-aws" version="2.28.13">
-         <artifact name="http-auth-aws-2.28.13.jar">
-            <sha256 value="cd0303e19ae51e8bb4dc1e454ef6e46e54ef865cf80988d775cfa8edb48ca975" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="http-auth-aws" version="2.30.38">
+         <artifact name="http-auth-aws-2.30.38.jar">
+            <sha256 value="014949af1202f007b5a847510988a63cea5420699aefb3bda01bc86aa4c01198" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="http-auth-aws-eventstream" version="2.28.13">
-         <artifact name="http-auth-aws-eventstream-2.28.13.jar">
-            <sha256 value="55da99bf20179255f1da5551f41192095bf36eb8ab97b08f1a430f50bbb61733" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="http-auth-aws-eventstream" version="2.30.38">
+         <artifact name="http-auth-aws-eventstream-2.30.38.jar">
+            <sha256 value="84d1167b24b8437434c0c023a95dbddd3438f9ae2252c12b704e5152e0208027" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="http-auth-spi" version="2.28.13">
-         <artifact name="http-auth-spi-2.28.13.jar">
-            <sha256 value="61a142852865dc050006ff6ab61e59780d296e7b2721d578db255c4dc31be083" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="http-auth-spi" version="2.30.38">
+         <artifact name="http-auth-spi-2.30.38.jar">
+            <sha256 value="b014537453ff24bee7665088e56f2cb93fe66fa3d9276a78bb8cd990da667663" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="http-client-spi" version="2.28.13">
-         <artifact name="http-client-spi-2.28.13.jar">
-            <sha256 value="827763cbf43131d9542a58546a5252a4f6c4f32b861f755e339cb4c85e74f4c8" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="http-client-spi" version="2.30.38">
+         <artifact name="http-client-spi-2.30.38.jar">
+            <sha256 value="1f802f578939e15eb48a816f3d519f4cb6234d48f674bfc9f81f06040b0855d2" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="identity-spi" version="2.28.13">
-         <artifact name="identity-spi-2.28.13.jar">
-            <sha256 value="8baf158caf32cbab7cfdc2fabf48bac90e737917703c2a6e0502f46c46e3ef71" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="identity-spi" version="2.30.38">
+         <artifact name="identity-spi-2.30.38.jar">
+            <sha256 value="e784929d8a51591b6ed51344f41b37f2a68582d2e912e8310ea3e57a56d4d6bf" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="json-utils" version="2.28.13">
-         <artifact name="json-utils-2.28.13.jar">
-            <sha256 value="369ed42586213a33bc7f94e9d21594ee64fec1152819476c24c82b312b27b170" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="json-utils" version="2.30.38">
+         <artifact name="json-utils-2.30.38.jar">
+            <sha256 value="823f565bc6d4031e4b3dada05c1e66c1344f34d498344b7186a2f2d048ba01d8" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="metrics-spi" version="2.28.13">
-         <artifact name="metrics-spi-2.28.13.jar">
-            <sha256 value="5ba10e6cf4882455eb27f6cb3b72832ea01d9bdf260c2c7fe80442b997af951b" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="metrics-spi" version="2.30.38">
+         <artifact name="metrics-spi-2.30.38.jar">
+            <sha256 value="1c16e68387ef1fade5ed848811f4c1779fedfe5965e33a1264ebf608e50ad902" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="netty-nio-client" version="2.28.13">
-         <artifact name="netty-nio-client-2.28.13.jar">
-            <sha256 value="d382c2fc88121faa4a523e48683d22694f47638428741a1cf67985dd893de560" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="netty-nio-client" version="2.30.38">
+         <artifact name="netty-nio-client-2.30.38.jar">
+            <sha256 value="1cf334d5df80dcfd09ed8b03d57b0c3153d16807a6f8e8b98eeefce86f6e62c2" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="profiles" version="2.28.13">
-         <artifact name="profiles-2.28.13.jar">
-            <sha256 value="1889896c4a2714c3ae9ebd9c7be430c8b7add52fcd7561b4cdca70f41d225902" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="profiles" version="2.30.38">
+         <artifact name="profiles-2.30.38.jar">
+            <sha256 value="212e182bad994236ea3f63d76080f5855e342759b0af970376500e4d06aa12d2" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="protocol-core" version="2.28.13">
-         <artifact name="protocol-core-2.28.13.jar">
-            <sha256 value="86bd64f9c897058578a7153d7d1dbc1ce4fcf7025b5b2651f4b3404144dbeba4" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="protocol-core" version="2.30.38">
+         <artifact name="protocol-core-2.30.38.jar">
+            <sha256 value="ead8ea1eb125e5d0dc4a69312f816bdb1b353604bf4b51dd2070d14e78f00d6d" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="regions" version="2.28.13">
-         <artifact name="regions-2.28.13.jar">
-            <sha256 value="97051ca69715150e1bc3f12f89e05692585a0f1e8a6901699d1fe07cad9a348f" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="regions" version="2.30.38">
+         <artifact name="regions-2.30.38.jar">
+            <sha256 value="e1674ff1f8d09c0585a60422b4c3ff73a06912d5fd999b91b0a398977655425e" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="retries" version="2.28.13">
-         <artifact name="retries-2.28.13.jar">
-            <sha256 value="3bf13cc6ba9dabf41009fcf8b9f31d936340d8b565b2bf83aa030d12494e8d18" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="retries" version="2.30.38">
+         <artifact name="retries-2.30.38.jar">
+            <sha256 value="1191db8e9540430e63c2e1fef08311f95fef29cbcda1a353810d6b02ce0495cc" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="retries-spi" version="2.28.13">
-         <artifact name="retries-spi-2.28.13.jar">
-            <sha256 value="d30595d38eb17929afe724290667873828f9c4c79dd5d5b8d3ae902318e6495f" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="retries-spi" version="2.30.38">
+         <artifact name="retries-spi-2.30.38.jar">
+            <sha256 value="da37cb021156b6aae5a30337e270a33a43817a64c59ca7aa4c39074cfda39a4b" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="sdk-core" version="2.28.13">
-         <artifact name="sdk-core-2.28.13.jar">
-            <sha256 value="1072f71dd15f89596c63d30bdb779e0956eb4380f94c8b75d675d01846711df3" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="sdk-core" version="2.30.38">
+         <artifact name="sdk-core-2.30.38.jar">
+            <sha256 value="556463b8c353408d93feab74719d141fcfda7fd3d7b7d1ad3a8a548b7cc2982d" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="third-party-jackson-core" version="2.28.13">
-         <artifact name="third-party-jackson-core-2.28.13.jar">
-            <sha256 value="3782d94baf0d396f7687d186b3fe0f3ffdbab9d610f0099b782ae9d802387183" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="third-party-jackson-core" version="2.30.38">
+         <artifact name="third-party-jackson-core-2.30.38.jar">
+            <sha256 value="979215cd78fe0b4abfa7465e6400b29ed90ced24d76323e87b6717195f0214af" origin="Generated by Gradle"/>
         </artifact>
      </component>
-      <component group="software.amazon.awssdk" name="utils" version="2.28.13">
-         <artifact name="utils-2.28.13.jar">
-            <sha256 value="c0ab5446f8009bde04a09de880804c5bda30cf8f69ce857116c1f99606c67069" origin="Generated by Gradle"/>
+      <component group="software.amazon.awssdk" name="utils" version="2.30.38">
+         <artifact name="utils-2.30.38.jar">
+            <sha256 value="977f7f03cfd8957889c478b134ce89172217d2ef77bbf81e954efe371ca1f1a8" origin="Generated by Gradle"/>
         </artifact>
      </component>
      <component group="software.amazon.eventstream" name="eventstream" version="1.0.1">
--- a/x-pack/plugin/inference/build.gradle
+++ b/x-pack/plugin/inference/build.gradle
@ -391,8 +391,6 @@ tasks.named("thirdPartyAudit").configure {
    'software.amazon.awssdk.crt.auth.signing.AwsSigningConfig$AwsSignedBodyHeaderType',
    'software.amazon.awssdk.crt.auth.signing.AwsSigningConfig$AwsSigningAlgorithm',
    'software.amazon.awssdk.crt.auth.signing.AwsSigningResult',
-    'software.amazon.awssdk.crt.checksums.CRC32',
-    'software.amazon.awssdk.crt.checksums.CRC32C',
    'software.amazon.awssdk.crt.http.HttpHeader',
    'software.amazon.awssdk.crt.http.HttpRequest',
    'software.amazon.awssdk.crt.http.HttpRequestBodyStream',
--- a/x-pack/plugin/inference/src/main/plugin-metadata/entitlement-policy.yaml
+++ b/x-pack/plugin/inference/src/main/plugin-metadata/entitlement-policy.yaml
@ -22,14 +22,3 @@ io.netty.common:
 io.netty.transport:
  - manage_threads
  - outbound_network
-# AWS Clients always try to access the credentials and config files, even if we configure otherwise
-# This should be "fixed" (as in, it will handle SecurityException correctly)
-# by https://github.com/aws/aws-sdk-java-v2/pull/5904. Once confirmed and libraries are updated, these could be removed.
-software.amazon.awssdk.profiles:
-  - files:
-    - relative_path: .aws/credentials
-      relative_to: home
-      mode: read
-    - relative_path: .aws/config
-      relative_to: home
-      mode: read
--- a/x-pack/plugin/inference/src/main/plugin-metadata/plugin-security.policy
+++ b/x-pack/plugin/inference/src/main/plugin-metadata/plugin-security.policy
@ -22,8 +22,6 @@ grant {
  // also, AWS Bedrock client opens socket connections and needs resolve for to access to resources
  permission java.net.SocketPermission "*", "connect,resolve";

-  // AWS Clients always try to access the credentials and config files, even if we configure otherwise
-  permission java.io.FilePermission "${user.home}/.aws/credentials", "read";
-  permission java.io.FilePermission "${user.home}/.aws/config", "read";
+  // AWS Clients always try to check the http.proxyHost system property
  permission java.util.PropertyPermission "http.proxyHost", "read";
 };