sts: Add support of AssumeRoleWithWebIdentity and DurationSeconds (#18835)

To force limit the duration of STS accounts, the user can create a new policy, like the following: { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["sts:AssumeRoleWithWebIdentity"], "Condition": {"NumericLessThanEquals": {"sts:DurationSeconds": "300"}} }] } And force binding the policy to all OpenID users, whether using a claim name or role ARN.
2025-11-07 12:52:58 -05:00 · 2024-02-05 20:44:23 +01:00
parent e046eb1d17
commit 7aa00bff89
3 changed files with 39 additions and 0 deletions
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -493,6 +493,30 @@ func (sts *stsAPIHandlers) AssumeRoleWithSSO(w http.ResponseWriter, r *http.Requ
 		cred.ParentUser = base64.RawURLEncoding.EncodeToString(bs)
 	}

+	// Deny this assume role request if the policy that the user intends to bind
+	// has a sts:DurationSeconds condition, which is not satisfied as well
+	{
+		p := policyName
+		if p == "" {
+			var err error
+			_, p, err = globalIAMSys.GetRolePolicy(roleArnStr)
+			if err != nil {
+				writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, err)
+				return
+			}
+		}
+
+		if !globalIAMSys.doesPolicyAllow(p, policy.Args{
+			DenyOnly:        true,
+			Action:          policy.AssumeRoleWithWebIdentityAction,
+			ConditionValues: getSTSConditionValues(r, "", cred),
+			Claims:          cred.Claims,
+		}) {
+			writeSTSErrorResponse(ctx, w, ErrSTSAccessDenied, errors.New("this user does not have enough permission"))
+			return
+		}
+	}
+
 	// Set the newly generated credentials.
 	updatedAt, err := globalIAMSys.SetTempUser(ctx, cred.AccessKey, cred, policyName)
 	if err != nil {