sts: Add support of AssumeRoleWithWebIdentity and DurationSeconds (#18835)

To force limit the duration of STS accounts, the user can create a new policy, like the following: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["sts:AssumeRoleWithWebIdentity"], "Condition": {"NumericLessThanEquals": {"sts:DurationSeconds": "300"}} }] } And force binding the policy to all OpenID users, whether using a claim name or role ARN.
2025-11-07 12:52:58 -05:00 · 2024-02-05 20:44:23 +01:00
parent e046eb1d17
commit 7aa00bff89
3 changed files with 39 additions and 0 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -2054,6 +2054,13 @@ func (sys *IAMSys) GetCombinedPolicy(policies ...string) policy.Policy {
 	return policy
 }

+// doesPolicyAllow - checks if the given policy allows the passed action with given args. This is rarely needed.
+// Notice there is no account name involved, so this is a dangerous function.
+func (sys *IAMSys) doesPolicyAllow(policy string, args policy.Args) bool {
+	// Policies were found, evaluate all of them.
+	return sys.GetCombinedPolicy(policy).IsAllowed(args)
+}
+
 // IsAllowed - checks given policy args is allowed to continue the Rest API.
 func (sys *IAMSys) IsAllowed(args policy.Args) bool {
 	// If opa is configured, use OPA always.