From cff0baf3229d793e89583ac9ccd387ab9e9bec48 Mon Sep 17 00:00:00 2001 From: Brian Howe <30811239+bhowe34@users.noreply.github.com> Date: Fri, 28 Oct 2022 16:28:25 -0500 Subject: [PATCH] secrets/aws: don't create leases for AWS STS secrets (#15869) * don't create leases for AWS STS secrets * don't create leases for aws federation tokens --- builtin/logical/aws/secret_access_keys.go | 54 ++++++++--------------- changelog/15869.txt | 3 ++ 2 files changed, 22 insertions(+), 35 deletions(-) create mode 100644 changelog/15869.txt diff --git a/builtin/logical/aws/secret_access_keys.go b/builtin/logical/aws/secret_access_keys.go index c70386d68..eb83ed5fa 100644 --- a/builtin/logical/aws/secret_access_keys.go +++ b/builtin/logical/aws/secret_access_keys.go @@ -155,23 +155,15 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage, return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err) } - resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{ - "access_key": *tokenResp.Credentials.AccessKeyId, - "secret_key": *tokenResp.Credentials.SecretAccessKey, - "security_token": *tokenResp.Credentials.SessionToken, - }, map[string]interface{}{ - "username": username, - "policy": policy, - "is_sts": true, - }) - - // Set the secret TTL to appropriately match the expiration of the token - resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now()) - - // STS are purposefully short-lived and aren't renewable - resp.Secret.Renewable = false - - return resp, nil + // STS credentials cannot be revoked so do not create a lease + return &logical.Response{ + Data: map[string]interface{}{ + "access_key": *tokenResp.Credentials.AccessKeyId, + "secret_key": *tokenResp.Credentials.SecretAccessKey, + "security_token": *tokenResp.Credentials.SessionToken, + "ttl": uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()), + }, + }, nil } func (b *backend) assumeRole(ctx context.Context, s logical.Storage, @@ -238,24 +230,16 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage, return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err) } - resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{ - "access_key": *tokenResp.Credentials.AccessKeyId, - "secret_key": *tokenResp.Credentials.SecretAccessKey, - "security_token": *tokenResp.Credentials.SessionToken, - "arn": *tokenResp.AssumedRoleUser.Arn, - }, map[string]interface{}{ - "username": roleSessionName, - "policy": roleArn, - "is_sts": true, - }) - - // Set the secret TTL to appropriately match the expiration of the token - resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now()) - - // STS are purposefully short-lived and aren't renewable - resp.Secret.Renewable = false - - return resp, nil + // STS credentials cannot be revoked so do not create a lease + return &logical.Response{ + Data: map[string]interface{}{ + "access_key": *tokenResp.Credentials.AccessKeyId, + "secret_key": *tokenResp.Credentials.SecretAccessKey, + "security_token": *tokenResp.Credentials.SessionToken, + "arn": *tokenResp.AssumedRoleUser.Arn, + "ttl": uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()), + }, + }, nil } func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) { diff --git a/changelog/15869.txt b/changelog/15869.txt new file mode 100644 index 000000000..bb0278dcc --- /dev/null +++ b/changelog/15869.txt @@ -0,0 +1,3 @@ +```release-note:change +secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls +``` \ No newline at end of file