secrets/aws: don't create leases for AWS STS secrets (#15869)

* don't create leases for AWS STS secrets

* don't create leases for aws federation tokens
This commit is contained in:
Brian Howe 2022-10-28 16:28:25 -05:00 committed by GitHub
parent 6d92ef4d9a
commit cff0baf322
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 35 deletions

View File

@ -155,23 +155,15 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err) return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
} }
resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{ // STS credentials cannot be revoked so do not create a lease
return &logical.Response{
Data: map[string]interface{}{
"access_key": *tokenResp.Credentials.AccessKeyId, "access_key": *tokenResp.Credentials.AccessKeyId,
"secret_key": *tokenResp.Credentials.SecretAccessKey, "secret_key": *tokenResp.Credentials.SecretAccessKey,
"security_token": *tokenResp.Credentials.SessionToken, "security_token": *tokenResp.Credentials.SessionToken,
}, map[string]interface{}{ "ttl": uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
"username": username, },
"policy": policy, }, nil
"is_sts": true,
})
// Set the secret TTL to appropriately match the expiration of the token
resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
// STS are purposefully short-lived and aren't renewable
resp.Secret.Renewable = false
return resp, nil
} }
func (b *backend) assumeRole(ctx context.Context, s logical.Storage, func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
@ -238,24 +230,16 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err) return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
} }
resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{ // STS credentials cannot be revoked so do not create a lease
return &logical.Response{
Data: map[string]interface{}{
"access_key": *tokenResp.Credentials.AccessKeyId, "access_key": *tokenResp.Credentials.AccessKeyId,
"secret_key": *tokenResp.Credentials.SecretAccessKey, "secret_key": *tokenResp.Credentials.SecretAccessKey,
"security_token": *tokenResp.Credentials.SessionToken, "security_token": *tokenResp.Credentials.SessionToken,
"arn": *tokenResp.AssumedRoleUser.Arn, "arn": *tokenResp.AssumedRoleUser.Arn,
}, map[string]interface{}{ "ttl": uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
"username": roleSessionName, },
"policy": roleArn, }, nil
"is_sts": true,
})
// Set the secret TTL to appropriately match the expiration of the token
resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
// STS are purposefully short-lived and aren't renewable
resp.Secret.Renewable = false
return resp, nil
} }
func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) { func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {

3
changelog/15869.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:change
secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls
```