secrets/aws: don't create leases for AWS STS secrets (#15869)
* don't create leases for AWS STS secrets * don't create leases for aws federation tokens
This commit is contained in:
parent
6d92ef4d9a
commit
cff0baf322
|
@ -155,23 +155,15 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
|
||||||
return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
|
return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
|
// STS credentials cannot be revoked so do not create a lease
|
||||||
|
return &logical.Response{
|
||||||
|
Data: map[string]interface{}{
|
||||||
"access_key": *tokenResp.Credentials.AccessKeyId,
|
"access_key": *tokenResp.Credentials.AccessKeyId,
|
||||||
"secret_key": *tokenResp.Credentials.SecretAccessKey,
|
"secret_key": *tokenResp.Credentials.SecretAccessKey,
|
||||||
"security_token": *tokenResp.Credentials.SessionToken,
|
"security_token": *tokenResp.Credentials.SessionToken,
|
||||||
}, map[string]interface{}{
|
"ttl": uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
|
||||||
"username": username,
|
},
|
||||||
"policy": policy,
|
}, nil
|
||||||
"is_sts": true,
|
|
||||||
})
|
|
||||||
|
|
||||||
// Set the secret TTL to appropriately match the expiration of the token
|
|
||||||
resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
|
|
||||||
|
|
||||||
// STS are purposefully short-lived and aren't renewable
|
|
||||||
resp.Secret.Renewable = false
|
|
||||||
|
|
||||||
return resp, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
|
func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
|
||||||
|
@ -238,24 +230,16 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
|
||||||
return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
|
return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
|
// STS credentials cannot be revoked so do not create a lease
|
||||||
|
return &logical.Response{
|
||||||
|
Data: map[string]interface{}{
|
||||||
"access_key": *tokenResp.Credentials.AccessKeyId,
|
"access_key": *tokenResp.Credentials.AccessKeyId,
|
||||||
"secret_key": *tokenResp.Credentials.SecretAccessKey,
|
"secret_key": *tokenResp.Credentials.SecretAccessKey,
|
||||||
"security_token": *tokenResp.Credentials.SessionToken,
|
"security_token": *tokenResp.Credentials.SessionToken,
|
||||||
"arn": *tokenResp.AssumedRoleUser.Arn,
|
"arn": *tokenResp.AssumedRoleUser.Arn,
|
||||||
}, map[string]interface{}{
|
"ttl": uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
|
||||||
"username": roleSessionName,
|
},
|
||||||
"policy": roleArn,
|
}, nil
|
||||||
"is_sts": true,
|
|
||||||
})
|
|
||||||
|
|
||||||
// Set the secret TTL to appropriately match the expiration of the token
|
|
||||||
resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
|
|
||||||
|
|
||||||
// STS are purposefully short-lived and aren't renewable
|
|
||||||
resp.Secret.Renewable = false
|
|
||||||
|
|
||||||
return resp, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {
|
func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:change
|
||||||
|
secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls
|
||||||
|
```
|
Loading…
Reference in New Issue