Add service account type in IAM (#9029)

2025-11-10 05:59:43 -05:00 · 2020-03-17 18:36:13 +01:00
parent 8b880a246a
commit 496f4a7dc7
15 changed files with 815 additions and 153 deletions
--- a/pkg/auth/credentials.go
+++ b/pkg/auth/credentials.go
@@ -90,6 +90,7 @@ type Credentials struct {
 	Expiration   time.Time `xml:"Expiration" json:"expiration,omitempty"`
 	SessionToken string    `xml:"SessionToken" json:"sessionToken,omitempty"`
 	Status       string    `xml:"-" json:"status,omitempty"`
+	ParentUser   string    `xml:"-" json:"parentUser,omitempty"`
 }

 func (cred Credentials) String() string {
@@ -119,7 +120,12 @@ func (cred Credentials) IsExpired() bool {

 // IsTemp - returns whether credential is temporary or not.
 func (cred Credentials) IsTemp() bool {
-	return cred.SessionToken != ""
+	return cred.SessionToken != "" && cred.ParentUser == ""
+}
+
+// IsServiceAccount - returns whether credential is a service account or not
+func (cred Credentials) IsServiceAccount() bool {
+	return cred.ParentUser != ""
 }

 // IsValid - returns whether credential is valid or not.
@@ -207,14 +213,15 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 		"/", "+", -1)
 	cred.Status = "on"

+	if tokenSecret == "" {
+		cred.Expiration = timeSentinel
+		return cred, nil
+	}
+
 	expiry, err := ExpToInt64(m["exp"])
 	if err != nil {
 		return cred, err
 	}
-	if expiry == 0 {
-		cred.Expiration = timeSentinel
-		return cred, nil
-	}

 	m["accessKey"] = cred.AccessKey
 	jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, jwtgo.MapClaims(m))