change service account embedded policy size limit (#19840)

Bonus: trim-off all the unnecessary spaces to allow for real 2048 characters in policies for STS handlers and re-use the code in all STS handlers.
2025-11-07 21:02:58 -05:00 · 2024-05-30 11:10:41 -07:00
parent 4af31e654b
commit 8f93e81afb
4 changed files with 67 additions and 82 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -78,6 +78,10 @@ const (
 	inheritedPolicyType = "inherited-policy"
 )

+const (
+	maxSVCSessionPolicySize = 4096
+)
+
 // IAMSys - config system.
 type IAMSys struct {
 	// Need to keep them here to keep alignment - ref: https://golang.org/pkg/sync/atomic/#pkg-note-BUG
@@ -977,7 +981,7 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
 		if err != nil {
 			return auth.Credentials{}, time.Time{}, err
 		}
-		if len(policyBuf) > 2048 {
+		if len(policyBuf) > maxSVCSessionPolicySize {
 			return auth.Credentials{}, time.Time{}, errSessionPolicyTooLarge
 		}
 	}