From a9c845396ebc1af1e78a0c2d85c72706d0851f7e Mon Sep 17 00:00:00 2001 From: aemous Date: Wed, 25 Feb 2026 10:48:28 -0500 Subject: [PATCH 1/8] Implement opting out of S3 Express session auth via config variables. --- .../next-release/enhancement-s3-43539.json | 5 ++ awscli/botocore/args.py | 3 + awscli/botocore/config.py | 4 ++ awscli/botocore/configprovider.py | 6 ++ awscli/botocore/regions.py | 5 ++ .../botocore/test_disable_s3_express_auth.py | 67 +++++++++++++++++++ 6 files changed, 90 insertions(+) create mode 100644 .changes/next-release/enhancement-s3-43539.json create mode 100644 tests/functional/botocore/test_disable_s3_express_auth.py diff --git a/.changes/next-release/enhancement-s3-43539.json b/.changes/next-release/enhancement-s3-43539.json new file mode 100644 index 000000000000..59929ef64f57 --- /dev/null +++ b/.changes/next-release/enhancement-s3-43539.json @@ -0,0 +1,5 @@ +{ + "type": "enhancement", + "category": "``s3``", + "description": "Added support for opting out of Amazon S3 Express session authentication via the new ``disable_s3_express_session_auth`` client configuration setting, or the new ``AWS_S3_DISABLE_EXPRESS_SESSION_AUTH`` environment variable, or the ``s3_disable_express_session_auth`` S3 shared configuration setting." +} diff --git a/awscli/botocore/args.py b/awscli/botocore/args.py index 5897ab99eb0b..4affaa116925 100644 --- a/awscli/botocore/args.py +++ b/awscli/botocore/args.py @@ -679,6 +679,9 @@ def compute_endpoint_resolver_builtin_defaults( EPRBuiltins.AWS_S3_DISABLE_MRAP: s3_config.get( 's3_disable_multiregion_access_points', False ), + EPRBuiltins.AWS_S3_DISABLE_EXPRESS_SESSION_AUTH: s3_config.get( + 'disable_s3_express_session_auth', False + ), EPRBuiltins.SDK_ENDPOINT: given_endpoint, EPRBuiltins.ACCOUNT_ID: credentials.get_deferred_property( 'account_id' diff --git a/awscli/botocore/config.py b/awscli/botocore/config.py index 9362e0138ee9..dbdd2b8b6612 100644 --- a/awscli/botocore/config.py +++ b/awscli/botocore/config.py @@ -120,6 +120,10 @@ class Config: * path -- Addressing style is always by path. Endpoints will be addressed as such: s3.amazonaws.com/mybucket + * ``disable_s3_express_session_auth`` -- Refers to whether to use S3 + Express session authentication. The value must be a boolean. If True, the + client will NOT use S3 Express session authentication. + :type retries: dict :param retries: A dictionary for retry specific configurations. Valid keys are: diff --git a/awscli/botocore/configprovider.py b/awscli/botocore/configprovider.py index 427d2ed2cdec..0d382feeccec 100644 --- a/awscli/botocore/configprovider.py +++ b/awscli/botocore/configprovider.py @@ -192,6 +192,12 @@ None, None, ), + 'disable_s3_express_session_auth': ( + ('s3', 's3_disable_express_session_auth'), + 'AWS_S3_DISABLE_EXPRESS_SESSION_AUTH', + None, + utils.ensure_boolean, + ), } # A mapping for the s3 specific configuration vars. These are the configuration # vars that typically go in the s3 section of the config file. This mapping diff --git a/awscli/botocore/regions.py b/awscli/botocore/regions.py index 32367ef8dcc3..4ed4145b6c88 100644 --- a/awscli/botocore/regions.py +++ b/awscli/botocore/regions.py @@ -440,6 +440,11 @@ class EndpointResolverBuiltins(str, Enum): # Whether to use the ARN region or raise an error when ARN and client # region differ (for s3 service only, bool) AWS_S3_USE_ARN_REGION = "AWS::S3::UseArnRegion" + # Whether to use S3 Express session authentication, or fallback to default + # authentication (for s3 service only, bool). + AWS_S3_DISABLE_EXPRESS_SESSION_AUTH = ( + "AWS::S3::DisableS3ExpressSessionAuth" + ) # Whether to use the ARN region or raise an error when ARN and client # region differ (for s3-control service only, bool) AWS_S3CONTROL_USE_ARN_REGION = 'AWS::S3Control::UseArnRegion' diff --git a/tests/functional/botocore/test_disable_s3_express_auth.py b/tests/functional/botocore/test_disable_s3_express_auth.py new file mode 100644 index 000000000000..47b24b071395 --- /dev/null +++ b/tests/functional/botocore/test_disable_s3_express_auth.py @@ -0,0 +1,67 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"). You +# may not use this file except in compliance with the License. A copy of +# the License is located at +# +# http://aws.amazon.com/apache2.0/ +# +# or in the "license" file accompanying this file. This file is +# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF +# ANY KIND, either express or implied. See the License for the specific +# language governing permissions and limitations under the License. +import datetime +from unittest import mock + +import pytest +from dateutil.tz import tzutc + +from botocore.config import Config +from tests import ClientHTTPStubber + + +class TestDisableS3ExpressAuth: + DATE = datetime.datetime(2024, 11, 30, 23, 59, 59, tzinfo=tzutc()) + BUCKET_NAME = 'mybucket--usw2-az1--x-s3' + + CREATE_SESSION_RESPONSE = b'\ntest-key2024-12-31T23:59:59Ztest-secrettest-token' + LIST_OBJECTS_RESPONSE = b'\nmybucket--usw2-az1--x-s301000urlfalse' + + @pytest.fixture + def mock_datetime(self): + with mock.patch('datetime.datetime', spec=True) as mock_dt: + mock_dt.now.return_value = self.DATE + yield mock_dt + + def test_disable_s3_express_auth_enabled( + self, patched_session, mock_datetime + ): + config = Config(s3={'disable_s3_express_session_auth': True}) + s3_client = patched_session.create_client( + 's3', + config=config, + region_name='us-west-2', + ) + + with ClientHTTPStubber(s3_client) as stubber: + stubber.add_response(body=self.LIST_OBJECTS_RESPONSE) + s3_client.list_objects_v2(Bucket=self.BUCKET_NAME) + + assert len(stubber.requests) == 1 + + def test_disable_s3_express_auth_disabled( + self, patched_session, mock_datetime + ): + config = Config(s3={'disable_s3_express_session_auth': False}) + s3_client = patched_session.create_client( + 's3', + config=config, + region_name='us-west-2', + ) + + with ClientHTTPStubber(s3_client) as stubber: + stubber.add_response(body=self.CREATE_SESSION_RESPONSE) + stubber.add_response(body=self.LIST_OBJECTS_RESPONSE) + s3_client.list_objects_v2(Bucket=self.BUCKET_NAME) + + assert len(stubber.requests) == 2 From 44cffc98a1a622ae3981915aa710019b6e79c526 Mon Sep 17 00:00:00 2001 From: aemous Date: Wed, 25 Feb 2026 11:25:51 -0500 Subject: [PATCH 2/8] Mock utcnow in test_disable_s3_express_auth to fix failing test. --- tests/functional/botocore/test_disable_s3_express_auth.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/functional/botocore/test_disable_s3_express_auth.py b/tests/functional/botocore/test_disable_s3_express_auth.py index 47b24b071395..e312f07ee3b6 100644 --- a/tests/functional/botocore/test_disable_s3_express_auth.py +++ b/tests/functional/botocore/test_disable_s3_express_auth.py @@ -31,6 +31,7 @@ class TestDisableS3ExpressAuth: def mock_datetime(self): with mock.patch('datetime.datetime', spec=True) as mock_dt: mock_dt.now.return_value = self.DATE + mock_dt.utcnow.return_value = self.DATE yield mock_dt def test_disable_s3_express_auth_enabled( From e693c578a30f428a41341036eb27af83ce1e6602 Mon Sep 17 00:00:00 2001 From: Carlos <35640105+aemous@users.noreply.github.com> Date: Wed, 25 Feb 2026 14:01:36 -0500 Subject: [PATCH 3/8] Remove reference to client configuration setting in changelog entry. --- .changes/next-release/enhancement-s3-43539.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changes/next-release/enhancement-s3-43539.json b/.changes/next-release/enhancement-s3-43539.json index 59929ef64f57..419170003837 100644 --- a/.changes/next-release/enhancement-s3-43539.json +++ b/.changes/next-release/enhancement-s3-43539.json @@ -1,5 +1,5 @@ { "type": "enhancement", "category": "``s3``", - "description": "Added support for opting out of Amazon S3 Express session authentication via the new ``disable_s3_express_session_auth`` client configuration setting, or the new ``AWS_S3_DISABLE_EXPRESS_SESSION_AUTH`` environment variable, or the ``s3_disable_express_session_auth`` S3 shared configuration setting." + "description": "Added support for opting out of Amazon S3 Express session authentication via the new ``AWS_S3_DISABLE_EXPRESS_SESSION_AUTH`` environment variable, or the ``s3_disable_express_session_auth`` S3 shared configuration setting." } From 58b40394433c193e25d88fd2cd24ceabbca94616 Mon Sep 17 00:00:00 2001 From: aemous Date: Tue, 3 Mar 2026 10:08:59 -0500 Subject: [PATCH 4/8] Update s3-config topic with extra config setting. --- awscli/topics/s3-config.rst | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/awscli/topics/s3-config.rst b/awscli/topics/s3-config.rst index ad127f776ec9..945c4d1e1535 100644 --- a/awscli/topics/s3-config.rst +++ b/awscli/topics/s3-config.rst @@ -59,6 +59,10 @@ and ``aws s3api``: payloads. By default, this is disabled for streaming uploads (UploadPart and PutObject) when using https. +Additionally, the ``disable_s3_express_session_auth`` configuration value +can be set for both ``aws s3`` and ``aws s3api`` commands. Unlike the other +S3 configuration values, this value is set at the profile level and not under +the ``s3`` key. These values must be set under the top level ``s3`` key in the AWS Config File, which has a default location of ``~/.aws/config``. Below is an example @@ -295,6 +299,30 @@ but only if a ContentMD5 is present (it is generated by default) and the endpoint uses HTTPS. +disable_s3_express_session_auth +------------------------------- + +**Default** - ``false`` + +If set to ``true``, the client will not use S3 Express session authentication +for S3 Express One Zone directory buckets. By default, S3 Express session +authentication is enabled for requests to S3 Express One Zone directory buckets. +S3 Express session authentication provides optimized authentication for high +performance workloads with S3 Express One Zone. + +Unlike other S3 configuration values, this value must be set at the profile +level in the AWS Config File and not under the ``s3`` key. For example:: + + [profile development] + aws_access_key_id=foo + aws_secret_access_key=bar + disable_s3_express_session_auth = true + +To set this value programmatically using the ``aws configure set`` command:: + + $ aws configure set default.disable_s3_express_session_auth true + + preferred_transfer_client ------------------------- From 23504c26b299c178d8de7e93cde68bfefe1670d4 Mon Sep 17 00:00:00 2001 From: aemous Date: Thu, 12 Mar 2026 16:49:09 -0400 Subject: [PATCH 5/8] Progress on args.py s3 express opt-out port. --- awscli/botocore/args.py | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/awscli/botocore/args.py b/awscli/botocore/args.py index 4affaa116925..5d455a6c05c2 100644 --- a/awscli/botocore/args.py +++ b/awscli/botocore/args.py @@ -116,6 +116,9 @@ def get_client_args( signing_region = endpoint_config['signing_region'] endpoint_region_name = endpoint_config['region_name'] account_id_endpoint_mode = config_kwargs['account_id_endpoint_mode'] + s3_disable_express_session_auth = config_kwargs[ + 's3_disable_express_session_auth' + ] event_emitter = copy.copy(self._event_emitter) signer = RequestSigner( @@ -165,6 +168,7 @@ def get_client_args( event_emitter, credentials, account_id_endpoint_mode, + s3_disable_express_session_auth, ) # Copy the session's user agent factory and adds client configuration. @@ -280,6 +284,11 @@ def compute_client_args( ), account_id_endpoint_mode=client_config.account_id_endpoint_mode, auth_scheme_preference=client_config.auth_scheme_preference, + s3_disable_express_session_auth=( + s3_config.get('disable_s3_express_session_auth') + if s3_config is not None + else None + ), ) self._compute_retry_config(config_kwargs) self._compute_request_compression_config(config_kwargs) @@ -292,6 +301,7 @@ def compute_client_args( client_config, config_kwargs ) self._compute_signature_version_config(client_config, config_kwargs) + self._compute_s3_disable_express_session_auth(config_kwargs) s3_config = self.compute_s3_config(client_config) is_s3_service = self._is_s3_service(service_name) @@ -412,6 +422,19 @@ def _compute_s3_endpoint_config( ) return endpoint_config + def _validate_s3_disable_express_session_auth(self, config_val): + string_bool = isinstance(config_val, str) and config_val.lower() in [ + 'true', + 'false', + ] + if not isinstance(config_val, bool) and not string_bool: + raise botocore.exceptions.InvalidConfigError( + error_msg=( + f'Invalid value "{config_val}" for ' + 's3_disable_express_session_auth. Value must be a boolean' + ) + ) + def _set_region_if_custom_s3_endpoint( self, endpoint_config, endpoint_bridge ): @@ -506,6 +529,20 @@ def _compute_request_compression_config(self, config_kwargs): disabled = ensure_boolean(disabled) config_kwargs['disable_request_compression'] = disabled + def _compute_s3_disable_express_session_auth(self, config_kwargs): + disable_express = config_kwargs.get('s3_disable_express_session_auth') + if disable_express is None: + disable_express = self._config_store.get_config_variable( + 's3_disable_express_session_auth' + ) + + # Raise an error if the value does not represent a boolean. + if disable_express is not None: + self._validate_s3_disable_express_session_auth(disable_express) + config_kwargs['s3_disable_express_session_auth'] = ensure_boolean( + disable_express + ) + def _validate_min_compression_size(self, min_size): min_allowed_min_size = 1 max_allowed_min_size = 1048576 @@ -551,6 +588,7 @@ def _build_endpoint_resolver( event_emitter, credentials, account_id_endpoint_mode, + s3_disable_express_session_auth, ): if endpoints_ruleset_data is None: return None @@ -577,6 +615,7 @@ def _build_endpoint_resolver( legacy_endpoint_url=endpoint.host, credentials=credentials, account_id_endpoint_mode=account_id_endpoint_mode, + s3_disable_express_session_auth=s3_disable_express_session_auth, ) # Client context params for s3 conflict with the available settings # in the `s3` parameter on the `Config` object. If the same parameter From 43188cec94753ba2ec5a564d914178046a037b51 Mon Sep 17 00:00:00 2001 From: aemous Date: Thu, 19 Mar 2026 09:09:11 -0400 Subject: [PATCH 6/8] Update wording on changelog entry. --- .changes/next-release/enhancement-s3-43539.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.changes/next-release/enhancement-s3-43539.json b/.changes/next-release/enhancement-s3-43539.json index 419170003837..12c1a139cb14 100644 --- a/.changes/next-release/enhancement-s3-43539.json +++ b/.changes/next-release/enhancement-s3-43539.json @@ -1,5 +1,5 @@ { "type": "enhancement", "category": "``s3``", - "description": "Added support for opting out of Amazon S3 Express session authentication via the new ``AWS_S3_DISABLE_EXPRESS_SESSION_AUTH`` environment variable, or the ``s3_disable_express_session_auth`` S3 shared configuration setting." + "description": "Added support for opting out of Amazon S3 Express session authentication via the new ``AWS_S3_DISABLE_EXPRESS_SESSION_AUTH`` environment variable, or the ``s3_disable_express_session_auth`` shared configuration setting." } From fd47b593a357fa7a57231b2e620bc756f55f5f4f Mon Sep 17 00:00:00 2001 From: aemous Date: Thu, 19 Mar 2026 09:22:19 -0400 Subject: [PATCH 7/8] Finalize port after rebasing against client context params. --- awscli/botocore/args.py | 9 +++- awscli/botocore/config.py | 1 + awscli/botocore/configprovider.py | 6 +-- .../botocore/test_disable_s3_express_auth.py | 46 +++++++++++++++++-- tests/unit/botocore/test_args.py | 18 ++++++++ 5 files changed, 70 insertions(+), 10 deletions(-) diff --git a/awscli/botocore/args.py b/awscli/botocore/args.py index 5d455a6c05c2..803e7e3658a5 100644 --- a/awscli/botocore/args.py +++ b/awscli/botocore/args.py @@ -626,6 +626,10 @@ def _build_endpoint_resolver( client_context = {} if self._is_s3_service(service_name_raw): client_context.update(s3_config_raw) + if s3_disable_express_session_auth is not None: + client_context['disable_s3_express_session_auth'] = ( + s3_disable_express_session_auth + ) sig_version = ( client_config.signature_version @@ -653,6 +657,7 @@ def compute_endpoint_resolver_builtin_defaults( legacy_endpoint_url, credentials, account_id_endpoint_mode, + s3_disable_express_session_auth, ): # EndpointRulesetResolver rulesets may accept an "SDK::Endpoint" as # input. If the endpoint_url argument of create_client() is set, it @@ -718,8 +723,8 @@ def compute_endpoint_resolver_builtin_defaults( EPRBuiltins.AWS_S3_DISABLE_MRAP: s3_config.get( 's3_disable_multiregion_access_points', False ), - EPRBuiltins.AWS_S3_DISABLE_EXPRESS_SESSION_AUTH: s3_config.get( - 'disable_s3_express_session_auth', False + EPRBuiltins.AWS_S3_DISABLE_EXPRESS_SESSION_AUTH: ( + s3_disable_express_session_auth ), EPRBuiltins.SDK_ENDPOINT: given_endpoint, EPRBuiltins.ACCOUNT_ID: credentials.get_deferred_property( diff --git a/awscli/botocore/config.py b/awscli/botocore/config.py index dbdd2b8b6612..92e060a92a03 100644 --- a/awscli/botocore/config.py +++ b/awscli/botocore/config.py @@ -276,6 +276,7 @@ class Config: ('proxies', None), ('proxies_config', None), ('s3', None), + ('s3_disable_express_session_auth', None), ('retries', None), ('client_cert', None), ('inject_host_prefix', None), diff --git a/awscli/botocore/configprovider.py b/awscli/botocore/configprovider.py index 0d382feeccec..9e40dd58695a 100644 --- a/awscli/botocore/configprovider.py +++ b/awscli/botocore/configprovider.py @@ -192,11 +192,11 @@ None, None, ), - 'disable_s3_express_session_auth': ( - ('s3', 's3_disable_express_session_auth'), + 's3_disable_express_session_auth': ( + 's3_disable_express_session_auth', 'AWS_S3_DISABLE_EXPRESS_SESSION_AUTH', None, - utils.ensure_boolean, + None, ), } # A mapping for the s3 specific configuration vars. These are the configuration diff --git a/tests/functional/botocore/test_disable_s3_express_auth.py b/tests/functional/botocore/test_disable_s3_express_auth.py index e312f07ee3b6..f711d2f258d0 100644 --- a/tests/functional/botocore/test_disable_s3_express_auth.py +++ b/tests/functional/botocore/test_disable_s3_express_auth.py @@ -11,13 +11,14 @@ # ANY KIND, either express or implied. See the License for the specific # language governing permissions and limitations under the License. import datetime +import os from unittest import mock import pytest from dateutil.tz import tzutc from botocore.config import Config -from tests import ClientHTTPStubber +from tests import ClientHTTPStubber, temporary_file class TestDisableS3ExpressAuth: @@ -35,7 +36,7 @@ def mock_datetime(self): yield mock_dt def test_disable_s3_express_auth_enabled( - self, patched_session, mock_datetime + self, patched_session, mock_datetime ): config = Config(s3={'disable_s3_express_session_auth': True}) s3_client = patched_session.create_client( @@ -44,14 +45,49 @@ def test_disable_s3_express_auth_enabled( region_name='us-west-2', ) - with ClientHTTPStubber(s3_client) as stubber: + with ClientHTTPStubber(s3_client, strict=True) as stubber: + stubber.add_response(body=self.LIST_OBJECTS_RESPONSE) + s3_client.list_objects_v2(Bucket=self.BUCKET_NAME) + + assert len(stubber.requests) == 1 + + def test_disable_s3_express_auth_enabled_env_var( + self, patched_session, mock_datetime + ): + os.environ['AWS_S3_DISABLE_EXPRESS_SESSION_AUTH'] = 'true' + s3_client = patched_session.create_client( + 's3', + region_name='us-west-2', + ) + + with ClientHTTPStubber(s3_client, strict=True) as stubber: + stubber.add_response(body=self.LIST_OBJECTS_RESPONSE) + s3_client.list_objects_v2(Bucket=self.BUCKET_NAME) + + assert len(stubber.requests) == 1 + + def test_disable_s3_express_auth_enabled_shared_config( + self, patched_session, mock_datetime + ): + with temporary_file('w') as f: + os.environ['AWS_CONFIG_FILE'] = f.name + f.write('[default]\n') + f.write('s3_disable_express_session_auth = true\n') + f.flush() + + s3_client = patched_session.create_client( + 's3', + region_name='us-west-2', + ) + + with ClientHTTPStubber(s3_client, strict=True) as stubber: stubber.add_response(body=self.LIST_OBJECTS_RESPONSE) s3_client.list_objects_v2(Bucket=self.BUCKET_NAME) assert len(stubber.requests) == 1 def test_disable_s3_express_auth_disabled( - self, patched_session, mock_datetime + self, patched_session, mock_datetime ): config = Config(s3={'disable_s3_express_session_auth': False}) s3_client = patched_session.create_client( @@ -60,7 +96,7 @@ def test_disable_s3_express_auth_disabled( region_name='us-west-2', ) - with ClientHTTPStubber(s3_client) as stubber: + with ClientHTTPStubber(s3_client, strict=True) as stubber: stubber.add_response(body=self.CREATE_SESSION_RESPONSE) stubber.add_response(body=self.LIST_OBJECTS_RESPONSE) s3_client.list_objects_v2(Bucket=self.BUCKET_NAME) diff --git a/tests/unit/botocore/test_args.py b/tests/unit/botocore/test_args.py index 8a789e5f6699..3ac73389a797 100644 --- a/tests/unit/botocore/test_args.py +++ b/tests/unit/botocore/test_args.py @@ -695,6 +695,7 @@ def call_compute_endpoint_resolver_builtin_defaults(self, **overrides): defaults = { 'region_name': 'ca-central-1', 'service_name': 'fooservice', + 's3_disable_express_session_auth': False, 's3_config': {}, 'endpoint_bridge': self.bridge, 'client_endpoint_url': None, @@ -722,6 +723,7 @@ def test_builtins_defaults(self): self.assertEqual( bins['AWS::S3::DisableMultiRegionAccessPoints'], False ) + self.assertEqual(bins['AWS::S3::DisableS3ExpressSessionAuth'], False) self.assertEqual(bins['SDK::Endpoint'], None) self.assertEqual(bins['AWS::Auth::AccountId'], None) self.assertEqual(bins['AWS::Auth::AccountIdEndpointMode'], 'preferred') @@ -888,6 +890,22 @@ def test_account_id_endpoint_mode_set_to_disabled(self): ) self.assertEqual(bins['AWS::Auth::AccountIdEndpointMode'], 'disabled') + def test_disable_s3_express_session_auth_default(self): + bins = self.call_compute_endpoint_resolver_builtin_defaults() + self.assertEqual(bins['AWS::S3::DisableS3ExpressSessionAuth'], False) + + def test_disable_s3_express_session_auth_set_to_false(self): + bins = self.call_compute_endpoint_resolver_builtin_defaults( + s3_disable_express_session_auth=False, + ) + self.assertEqual(bins['AWS::S3::DisableS3ExpressSessionAuth'], False) + + def test_disable_s3_express_session_auth_set_to_true(self): + bins = self.call_compute_endpoint_resolver_builtin_defaults( + s3_disable_express_session_auth=True, + ) + self.assertEqual(bins['AWS::S3::DisableS3ExpressSessionAuth'], True) + class TestProtocolPriorityList: def test_all_parsers_accounted_for(self): From 728830e678c857bd3e2b154915d6d28752f31663 Mon Sep 17 00:00:00 2001 From: aemous Date: Thu, 19 Mar 2026 09:41:57 -0400 Subject: [PATCH 8/8] Fix bug where unsupported S3 shared config settings were being used in computing whether to disable S3 session auth. --- awscli/botocore/args.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/awscli/botocore/args.py b/awscli/botocore/args.py index 803e7e3658a5..522a4ee4189e 100644 --- a/awscli/botocore/args.py +++ b/awscli/botocore/args.py @@ -285,8 +285,8 @@ def compute_client_args( account_id_endpoint_mode=client_config.account_id_endpoint_mode, auth_scheme_preference=client_config.auth_scheme_preference, s3_disable_express_session_auth=( - s3_config.get('disable_s3_express_session_auth') - if s3_config is not None + client_config.s3.get('disable_s3_express_session_auth') + if client_config.s3 is not None else None ), )