From 857f921d763cb43b9384b93dc12665e64dd2e638 Mon Sep 17 00:00:00 2001
From: vishalnayak <vishalnayakv@gmail.com>
Date: Wed, 14 Sep 2016 18:27:35 -0400
Subject: [PATCH] Added comment

---
 builtin/credential/aws-ec2/path_login.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go
index 057fcb449..9ae9ad4be 100644
--- a/builtin/credential/aws-ec2/path_login.go
+++ b/builtin/credential/aws-ec2/path_login.go
@@ -325,6 +325,14 @@ func (b *backend) pathLoginUpdate(
 			return logical.ErrorResponse(err.Error()), nil
 		}
 
+		// Don't let subsequent login attempts to bypass in initial
+		// intent of disabling reauthentication, despite the properties
+		// of role getting updated. For example: Role has the value set
+		// to 'false', a role-tag login sets the value to 'true', then
+		// role gets updated to not use a role-tag, and a login attempt
+		// is made with role's value set to 'false'. Removing the entry
+		// from the identity whitelist should be the only way to be
+		// able to login from the instance again.
 		if !disallowReauthentication && storedIdentity.DisallowReauthentication {
 			disallowReauthentication = true
 		}