Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added role-option max_sts_ttl to cap TTL for AWS STS credentials. #5500

Merged
merged 3 commits into from
Oct 20, 2018
Merged

Added role-option max_sts_ttl to cap TTL for AWS STS credentials. #5500

merged 3 commits into from
Oct 20, 2018

Conversation

andrejvanderzee
Copy link
Contributor

@andrejvanderzee andrejvanderzee commented Oct 11, 2018
edited
Loading

PR for ability to cap TTL by setting max_sts_ttl on the role, like described here:
#5286

joelthompson
joelthompson suggested changes Oct 11, 2018
View reviewed changes
Copy link
Contributor

@joelthompson joelthompson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good to me! Just a couple small suggestions.

builtin/logical/aws/path_roles.go Outdated
}

maxSTSTTL := time.Duration(maxSTSTTLRaw.(int)) * time.Second
if roleEntry.DefaultSTSTTL > 0 && roleEntry.DefaultSTSTTL > maxSTSTTL {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two things:

First,m I think you should also test if maxSTSTL > 0. The reason is that, let's say a user has a max_sts_ttl of 3600 and a default_sts_ttl of 1200. Then, the user wants to remove the max_sts_ttl. That could be done by explicitly setting max_sts_ttl to 0, but then it would trip this check.

Second, you should probably move this check to after this if block. Imagine a user first sets max_sts_ttl to 1200, then in a second request, sets default_sts_ttl to 1800. That should probably also fail out, but I don't think it would.

@andrejvanderzee
Copy link
Contributor Author

andrejvanderzee commented Oct 11, 2018
edited
Loading

@joelthompson Understood and implemented your suggestions (check for > 0 and moved sanity check outside if-block).

@jefferai jefferai added this to the 0.12 milestone Oct 15, 2018
@chrishoffman chrishoffman merged commit d22949a into hashicorp:master Oct 20, 2018
@chrishoffman chrishoffman mentioned this pull request Oct 20, 2018
Closed
@jefferai jefferai modified the milestones: 0.12, 0.11.4 Oct 22, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jefferai jefferai jefferai left review comments

@joelthompson joelthompson joelthompson requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.11.4
Development

Successfully merging this pull request may close these issues.
4 participants
@andrejvanderzee @jefferai @joelthompson @chrishoffman