feat: allow service accounts to be generated with OpenID STS (#10184)

Bonus also fix a bug where we did not purge relevant service accounts generated by rotating credentials appropriately, service accounts should become invalid as soon as its corresponding parent user becomes invalid. Since service account themselves carry parent claim always we would never reach this problem, as the access get rejected at IAM policy layer.
2025-11-07 21:02:58 -05:00 · 2020-08-05 13:08:40 -07:00
parent cd04600862
commit e656beb915
4 changed files with 38 additions and 11 deletions
--- a/cmd/sts-handlers.go
+++ b/cmd/sts-handlers.go
@@ -355,9 +355,7 @@ func (sts *stsAPIHandlers) AssumeRoleWithJWT(w http.ResponseWriter, r *http.Requ
 			writeSTSErrorResponse(ctx, w, true, ErrSTSInvalidParameterValue, fmt.Errorf("Invalid session policy version"))
 			return
 		}
-	}

-	if len(sessionPolicyStr) > 0 {
 		m[iampolicy.SessionPolicyName] = base64.StdEncoding.EncodeToString([]byte(sessionPolicyStr))
 	}