You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
CloudFormation — SAM transform (AWS::Serverless-2016-10-31) templates are expanded into native CloudFormation — a template carrying Transform: AWS::Serverless-2016-10-31 now has its SAM resources expanded into native CloudFormation before provisioning, via the canonical aws-sam-translator, matching AWS's server-side expansion on CreateStack, UpdateStack, and CreateChangeSet. The dependency is optional and ships in the full image only; a lean image that receives a SAM template returns a clear error pointing to the full image instead of silently failing to expand. Contributed by @maximoosemine.
IAM — group policy attach/detach and inline group policies — AttachGroupPolicy, DetachGroupPolicy, ListAttachedGroupPolicies, PutGroupPolicy, GetGroupPolicy, DeleteGroupPolicy, and ListGroupPolicies are now implemented, matching the existing User and Role coverage, so the create-group then attach-managed-and-inline-policy pattern works instead of returning InvalidAction: Unknown IAM action. Contributed by @maxflorentin.
SNS — mobile-push endpoint lifecycle: GetEndpointAttributes, SetEndpointAttributes, DeleteEndpoint, DeletePlatformApplication — completes the platform-endpoint flow on top of the existing CreatePlatformApplication/CreatePlatformEndpoint. CreatePlatformEndpoint now dedups by device token within a platform application (AWS behavior): re-requesting the same Token returns the existing endpoint ARN when CustomUserData matches, and raises InvalidParameter"Endpoint <arn> already exists with the same Token, but different attributes." when it differs — so callers can parse the ARN and reconcile. Publish to a platform-endpoint TargetArn now succeeds (stub delivery) instead of returning Topic does not exist, and DeletePlatformApplication is idempotent and drops the application's endpoints. This lets app push-token registration flows (register → read/update attributes → delete) run end-to-end against MiniStack. Contributed by @sjincho.
Fixed
S3 — S3 → EventBridge events use AWS-conformant detail-type, reason, and deletion-type — S3 → EventBridge delivery built the detail-type by string-mangling the granular notification event name (Object ObjectCreated Put instead of AWS's fixed Object Created), hardcoded detail.reason to PutObject for every event, and omitted detail.deletion-type on deletes. Because EventBridge rules match on detail-type, any rule written to the AWS-documented type (e.g. ["Object Created"]) silently never matched. Each S3 event family now maps to its fixed EventBridge detail-type, with the per-API reason (PutObject/POST Object/CopyObject/CompleteMultipartUpload/DeleteObject) and a deletion-type on Object Deleted. Contributed by @lucasmfraser.
API Gateway — failed OIDC discovery is negative-cached so a transient failure no longer causes a 2 hour auth outage — _fetch_oidc_jwks_uri cached the result of OIDC discovery unconditionally, so a single transient failure cached jwks_uri = None for the full 7200s TTL and every subsequent JWT validation for that issuer fell back to the wrong default path and returned 401/404 for up to two hours, recoverable only by a restart. Discovery now writes the 7200s cache only on success and a short 60s negative cache on failure, so auth recovers within a minute of the issuer becoming reachable while still avoiding a re-run on every request. Contributed by @Pratham2703005.
Lambda — worker respawn cleans up the previous tmpdir and terminates the dead process — when a Lambda worker died between invocations, _spawn() created a fresh tmpdir without removing the previous one (leaking the extracted function code and layers on disk) and an errored handler set self._proc = None without terminating the subprocess (leaking ~68 MB per orphaned worker). Respawn now removes the old tmpdir and terminates the previous process first. Contributed by @hiddengearz.
Cognito — OAuth2 Basic-auth client secret containing + is no longer corrupted — the Authorization: Basic credential decode used unquote_plus, which turns a literal + in a Cognito-generated secret into a space, so client_secret_basic failed with invalid_client for the roughly half of generated secrets that contain a +. It now uses unquote, preserving + while still decoding %2F/%2B. Contributed by @jgrumboe.