Map policy to parent for STS (#13884)

When STS credentials are created for a user, a unique (hopefully stable) parent user value exists for the credential, which corresponds to the user for whom the credentials are created. The access policy is mapped to this parent-user and is persisted. This helps ensure that all STS credentials of a user have the same policy assignment at all times. Before this change, for an OIDC STS credential, when the policy claim changes in the provider (when not using RoleARNs), the change would not take effect on existing credentials, but only on new ones. To support existing STS credentials without parent-user policy mappings, we lookup the policy in the policy claim value. This behavior should be deprecated when such support is no longer required, as it can still lead to stale policy mappings. Additionally this change also simplifies the implementation for all non-RoleARN STS credentials. Specifically, for AssumeRole (internal IDP) STS credentials, policies are picked up from the parent user's policies; for AssumeRoleWithCertificate STS credentials, policies are picked up from the parent user mapping created when the STS credential is generated. AssumeRoleWithLDAP already picks up policies mapped to the virtual parent user.
2025-11-07 21:02:58 -05:00 · 2021-12-17 00:46:30 -08:00
parent e270ab65b3
commit 890f43ffa5
4 changed files with 87 additions and 77 deletions
--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
@@ -1392,9 +1392,11 @@ func (store *IAMStoreSys) DeleteUser(ctx context.Context, accessKey string, user
 	return err
 }

-// SetTempUser - saves temporary credential to storage and cache.
+// SetTempUser - saves temporary (STS) credential to storage and cache. If a
+// policy name is given, it is associated with the parent user specified in the
+// credential.
 func (store *IAMStoreSys) SetTempUser(ctx context.Context, accessKey string, cred auth.Credentials, policyName string) error {
-	if accessKey == "" || !cred.IsTemp() || cred.IsExpired() {
+	if accessKey == "" || !cred.IsTemp() || cred.IsExpired() || cred.ParentUser == "" {
 		return errInvalidArgument
 	}

@@ -1411,26 +1413,12 @@ func (store *IAMStoreSys) SetTempUser(ctx context.Context, accessKey string, cre
 			return fmt.Errorf("specified policy %s, not found %w", policyName, errNoSuchPolicy)
 		}

-		err := store.saveMappedPolicy(ctx, accessKey, stsUser, false, mp, options{ttl: ttl})
+		err := store.saveMappedPolicy(ctx, cred.ParentUser, stsUser, false, mp, options{ttl: ttl})
 		if err != nil {
 			return err
 		}

-		cache.iamUserPolicyMap[accessKey] = mp
-
-		// We are on purpose not persisting the policy map for parent
-		// user, although this is a hack, it is a good enough hack
-		// at this point in time - we need to overhaul our OIDC
-		// usage with service accounts with a more cleaner implementation
-		//
-		// This mapping is necessary to ensure that valid credentials
-		// have necessary ParentUser present - this is mainly for only
-		// webIdentity based STS tokens.
-		if cred.ParentUser != "" && cred.ParentUser != globalActiveCred.AccessKey {
-			if _, ok := cache.iamUserPolicyMap[cred.ParentUser]; !ok {
-				cache.iamUserPolicyMap[cred.ParentUser] = mp
-			}
-		}
+		cache.iamUserPolicyMap[cred.ParentUser] = mp
 	}

 	u := newUserIdentity(cred)