secrets/aws: don't create leases for AWS STS secrets (#15869)

* don't create leases for AWS STS secrets

* don't create leases for aws federation tokens

builtin/logical/aws/secret_access_keys.go

@@ -155,23 +155,15 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
 		return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
 	}
 
-	resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
+	// STS credentials cannot be revoked so do not create a lease
-		"access_key":     *tokenResp.Credentials.AccessKeyId,
+	return &logical.Response{
-		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
+		Data: map[string]interface{}{
-		"security_token": *tokenResp.Credentials.SessionToken,
+			"access_key":     *tokenResp.Credentials.AccessKeyId,
-	}, map[string]interface{}{
+			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
-		"username": username,
+			"security_token": *tokenResp.Credentials.SessionToken,
-		"policy":   policy,
+			"ttl":            uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
-		"is_sts":   true,
+		},
-	})
+	}, nil
-
-	// Set the secret TTL to appropriately match the expiration of the token
-	resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
-
-	// STS are purposefully short-lived and aren't renewable
-	resp.Secret.Renewable = false
-
-	return resp, nil
 }
 
 func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
@@ -238,24 +230,16 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
 		return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
 	}
 
-	resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
+	// STS credentials cannot be revoked so do not create a lease
-		"access_key":     *tokenResp.Credentials.AccessKeyId,
+	return &logical.Response{
-		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
+		Data: map[string]interface{}{
-		"security_token": *tokenResp.Credentials.SessionToken,
+			"access_key":     *tokenResp.Credentials.AccessKeyId,
-		"arn":            *tokenResp.AssumedRoleUser.Arn,
+			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
-	}, map[string]interface{}{
+			"security_token": *tokenResp.Credentials.SessionToken,
-		"username": roleSessionName,
+			"arn":            *tokenResp.AssumedRoleUser.Arn,
-		"policy":   roleArn,
+			"ttl":            uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
-		"is_sts":   true,
+		},
-	})
+	}, nil
-
-	// Set the secret TTL to appropriately match the expiration of the token
-	resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
-
-	// STS are purposefully short-lived and aren't renewable
-	resp.Secret.Renewable = false
-
-	return resp, nil
 }
 
 func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {

changelog/15869.txt

@@ -0,0 +1,3 @@
+```release-note:change
+secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls
+```