Revert changes to STS leases but keep the ttl field (#20034)
* revert STS lease changes, now create a lease for STS credentials but keep the ttl Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
This commit is contained in:
parent
a19f7dbda5
commit
1b4ff1b1b4
|
@ -158,15 +158,28 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
|
||||||
return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
|
return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// STS credentials cannot be revoked so do not create a lease
|
// While STS credentials cannot be revoked/renewed, we will still create a lease since users are
|
||||||
return &logical.Response{
|
// relying on a non-zero `lease_duration` in order to manage their lease lifecycles manually.
|
||||||
Data: map[string]interface{}{
|
//
|
||||||
|
ttl := tokenResp.Credentials.Expiration.Sub(time.Now())
|
||||||
|
resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
|
||||||
"access_key": *tokenResp.Credentials.AccessKeyId,
|
"access_key": *tokenResp.Credentials.AccessKeyId,
|
||||||
"secret_key": *tokenResp.Credentials.SecretAccessKey,
|
"secret_key": *tokenResp.Credentials.SecretAccessKey,
|
||||||
"security_token": *tokenResp.Credentials.SessionToken,
|
"security_token": *tokenResp.Credentials.SessionToken,
|
||||||
"ttl": uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
|
"ttl": uint64(ttl.Seconds()),
|
||||||
},
|
}, map[string]interface{}{
|
||||||
}, nil
|
"username": username,
|
||||||
|
"policy": policy,
|
||||||
|
"is_sts": true,
|
||||||
|
})
|
||||||
|
|
||||||
|
// Set the secret TTL to appropriately match the expiration of the token
|
||||||
|
resp.Secret.TTL = ttl
|
||||||
|
|
||||||
|
// STS are purposefully short-lived and aren't renewable
|
||||||
|
resp.Secret.Renewable = false
|
||||||
|
|
||||||
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
|
func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
|
||||||
|
@ -233,16 +246,29 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
|
||||||
return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
|
return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// STS credentials cannot be revoked so do not create a lease
|
// While STS credentials cannot be revoked/renewed, we will still create a lease since users are
|
||||||
return &logical.Response{
|
// relying on a non-zero `lease_duration` in order to manage their lease lifecycles manually.
|
||||||
Data: map[string]interface{}{
|
//
|
||||||
|
ttl := tokenResp.Credentials.Expiration.Sub(time.Now())
|
||||||
|
resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
|
||||||
"access_key": *tokenResp.Credentials.AccessKeyId,
|
"access_key": *tokenResp.Credentials.AccessKeyId,
|
||||||
"secret_key": *tokenResp.Credentials.SecretAccessKey,
|
"secret_key": *tokenResp.Credentials.SecretAccessKey,
|
||||||
"security_token": *tokenResp.Credentials.SessionToken,
|
"security_token": *tokenResp.Credentials.SessionToken,
|
||||||
"arn": *tokenResp.AssumedRoleUser.Arn,
|
"arn": *tokenResp.AssumedRoleUser.Arn,
|
||||||
"ttl": uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
|
"ttl": uint64(ttl.Seconds()),
|
||||||
},
|
}, map[string]interface{}{
|
||||||
}, nil
|
"username": roleSessionName,
|
||||||
|
"policy": roleArn,
|
||||||
|
"is_sts": true,
|
||||||
|
})
|
||||||
|
|
||||||
|
// Set the secret TTL to appropriately match the expiration of the token
|
||||||
|
resp.Secret.TTL = ttl
|
||||||
|
|
||||||
|
// STS are purposefully short-lived and aren't renewable
|
||||||
|
resp.Secret.Renewable = false
|
||||||
|
|
||||||
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {
|
func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note: bug
|
||||||
|
secrets/aws: Revert changes that removed the lease on STS credentials, while leaving the new ttl field in place.
|
||||||
|
```
|
Loading…
Reference in New Issue