From c20b5f1040d41d2aab057a0de31dfb473816a472 Mon Sep 17 00:00:00 2001 From: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> Date: Thu, 15 Jul 2021 10:05:38 -0700 Subject: [PATCH] [VAULT-1986] Cap AWS Token TTL based on Default Lease TTL (#12026) * fix: cap token TTL at login time based on default lease TTL * add changelog file * patch: update warning messages to not include 'at login' * patch: remove default lease capping and test * update changelog * patch: revert warning message --- builtin/credential/aws/path_role.go | 4 ---- builtin/credential/aws/path_role_test.go | 4 ++-- changelog/12026.txt | 3 +++ 3 files changed, 5 insertions(+), 6 deletions(-) create mode 100644 changelog/12026.txt diff --git a/builtin/credential/aws/path_role.go b/builtin/credential/aws/path_role.go index 1d248a393..8cca61b3d 100644 --- a/builtin/credential/aws/path_role.go +++ b/builtin/credential/aws/path_role.go @@ -889,11 +889,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request } } - defaultLeaseTTL := b.System().DefaultLeaseTTL() systemMaxTTL := b.System().MaxLeaseTTL() - if roleEntry.TokenTTL > defaultLeaseTTL { - resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds greater than current mount/system default of %d seconds; ttl will be capped at login time", roleEntry.TokenTTL/time.Second, defaultLeaseTTL/time.Second)) - } if roleEntry.TokenMaxTTL > systemMaxTTL { resp.AddWarning(fmt.Sprintf("Given max ttl of %d seconds greater than current mount/system default of %d seconds; max ttl will be capped at login time", roleEntry.TokenMaxTTL/time.Second, systemMaxTTL/time.Second)) } diff --git a/builtin/credential/aws/path_role_test.go b/builtin/credential/aws/path_role_test.go index a46a28a8a..5d7a0e313 100644 --- a/builtin/credential/aws/path_role_test.go +++ b/builtin/credential/aws/path_role_test.go @@ -762,10 +762,10 @@ func TestAwsEc2_RoleDurationSeconds(t *testing.T) { } if resp.Data["ttl"].(int64) != 10 { - t.Fatalf("bad: period; expected: 10, actual: %d", resp.Data["ttl"]) + t.Fatalf("bad: ttl; expected: 10, actual: %d", resp.Data["ttl"]) } if resp.Data["max_ttl"].(int64) != 20 { - t.Fatalf("bad: period; expected: 20, actual: %d", resp.Data["max_ttl"]) + t.Fatalf("bad: max_ttl; expected: 20, actual: %d", resp.Data["max_ttl"]) } if resp.Data["period"].(int64) != 30 { t.Fatalf("bad: period; expected: 30, actual: %d", resp.Data["period"]) diff --git a/changelog/12026.txt b/changelog/12026.txt new file mode 100644 index 000000000..12b6cdda7 --- /dev/null +++ b/changelog/12026.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. +``` \ No newline at end of file