secrets/aws: don't create leases for AWS STS secrets (#15869)

* don't create leases for AWS STS secrets * don't create leases for aws federation tokens
hashicorp · Oct 28, 2022 · 465112b · 465112b
1 parent 8ff7aaa
commit 465112b
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 35 deletions.
diff --git a/builtin/logical/aws/secret_access_keys.go b/builtin/logical/aws/secret_access_keys.go
@@ -155,23 +155,15 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
 		return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
 	}
 
-	resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
-		"access_key":     *tokenResp.Credentials.AccessKeyId,
-		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
-		"security_token": *tokenResp.Credentials.SessionToken,
-	}, map[string]interface{}{
-		"username": username,
-		"policy":   policy,
-		"is_sts":   true,
-	})
-
-	// Set the secret TTL to appropriately match the expiration of the token
-	resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
-
-	// STS are purposefully short-lived and aren't renewable
-	resp.Secret.Renewable = false
-
-	return resp, nil
+	// STS credentials cannot be revoked so do not create a lease
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"access_key":     *tokenResp.Credentials.AccessKeyId,
+			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
+			"security_token": *tokenResp.Credentials.SessionToken,
+			"ttl":            uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
+		},
+	}, nil
 }
 
 func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
@@ -238,24 +230,16 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
 		return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
 	}
 
-	resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
-		"access_key":     *tokenResp.Credentials.AccessKeyId,
-		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
-		"security_token": *tokenResp.Credentials.SessionToken,
-		"arn":            *tokenResp.AssumedRoleUser.Arn,
-	}, map[string]interface{}{
-		"username": roleSessionName,
-		"policy":   roleArn,
-		"is_sts":   true,
-	})
-
-	// Set the secret TTL to appropriately match the expiration of the token
-	resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
-
-	// STS are purposefully short-lived and aren't renewable
-	resp.Secret.Renewable = false
-
-	return resp, nil
+	// STS credentials cannot be revoked so do not create a lease
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"access_key":     *tokenResp.Credentials.AccessKeyId,
+			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
+			"security_token": *tokenResp.Credentials.SessionToken,
+			"arn":            *tokenResp.AssumedRoleUser.Arn,
+			"ttl":            uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
+		},
+	}, nil
 }
 
 func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {

diff --git a/changelog/15869.txt b/changelog/15869.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls
+```