feat: create service accounts with same claims as parent (#13357)

allow claims from LDAP/OIDC to be inherited to service accounts as well to allow dynamic policies. fixes #13325
2025-11-09 21:49:46 -05:00 · 2021-10-05 11:49:33 -07:00
parent 3d5750f31c
commit d7cb6de820
2 changed files with 16 additions and 15 deletions
--- a/cmd/iam.go
+++ b/cmd/iam.go
@@ -1171,8 +1171,7 @@ type newServiceAccountOpts struct {
 	accessKey     string
 	secretKey     string

-	// LDAP username
-	ldapUsername string
+	claims map[string]interface{}
 }

 // NewServiceAccount - create a new service account
@@ -1260,9 +1259,12 @@ func (sys *IAMSys) NewServiceAccount(ctx context.Context, parentUser string, gro
 		m[iamPolicyClaimNameSA()] = "inherited-policy"
 	}

-	// For LDAP service account, save the ldap username in the metadata.
-	if opts.ldapUsername != "" {
-		m[ldapUserN] = opts.ldapUsername
+	// Add all the necessary claims for the service accounts.
+	for k, v := range opts.claims {
+		_, ok := m[k]
+		if !ok {
+			m[k] = v
+		}
 	}

 	var (