2dc468f4d1
* auth/aws: Make identity alias configurable This is inspired by #4178, though not quite exactly what is requested there. Rather than just use RoleSessionName as the Identity alias, the full ARN is uses as the Alias. This mitigates against concerns that an AWS role with an insufficiently secured trust policy could allow an attacker to generate arbitrary RoleSessionNames in AssumeRole calls to impersonate anybody in the Identity store that had an alias set up. By using the full ARN, the owner of the identity store has to explicitly trust specific AWS roles in specific AWS accounts to generate an appropriate RoleSessionName to map back to an identity. Fixes #4178 * Respond to PR feedback * Remove CreateOperation Response to PR feedback |
||
|---|---|---|
| .. | ||
| audit | ||
| credential | ||
| logical | ||
| plugin | ||