Backport of Revert changes to STS leases but keep the ttl field into release/1.13.x

builtin/logical/aws/secret_access_keys.go

@@ -155,15 +155,28 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
 		return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
 	}
 
-	// STS credentials cannot be revoked so do not create a lease
-	return &logical.Response{
-		Data: map[string]interface{}{
-			"access_key":     *tokenResp.Credentials.AccessKeyId,
-			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
-			"security_token": *tokenResp.Credentials.SessionToken,
-			"ttl":            uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
-		},
-	}, nil
+	// While STS credentials cannot be revoked/renewed, we will still create a lease since users are
+	// relying on a non-zero `lease_duration` in order to manage their lease lifecycles manually.
+	//
+	ttl := tokenResp.Credentials.Expiration.Sub(time.Now())
+	resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
+		"access_key":     *tokenResp.Credentials.AccessKeyId,
+		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
+		"security_token": *tokenResp.Credentials.SessionToken,
+		"ttl":            uint64(ttl.Seconds()),
+	}, map[string]interface{}{
+		"username": username,
+		"policy":   policy,
+		"is_sts":   true,
+	})
+
+	// Set the secret TTL to appropriately match the expiration of the token
+	resp.Secret.TTL = ttl
+
+	// STS are purposefully short-lived and aren't renewable
+	resp.Secret.Renewable = false
+
+	return resp, nil
 }
 
 func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
@@ -230,16 +243,29 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
 		return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
 	}
 
-	// STS credentials cannot be revoked so do not create a lease
-	return &logical.Response{
-		Data: map[string]interface{}{
-			"access_key":     *tokenResp.Credentials.AccessKeyId,
-			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
-			"security_token": *tokenResp.Credentials.SessionToken,
-			"arn":            *tokenResp.AssumedRoleUser.Arn,
-			"ttl":            uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
-		},
-	}, nil
+	// While STS credentials cannot be revoked/renewed, we will still create a lease since users are
+	// relying on a non-zero `lease_duration` in order to manage their lease lifecycles manually.
+	//
+	ttl := tokenResp.Credentials.Expiration.Sub(time.Now())
+	resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
+		"access_key":     *tokenResp.Credentials.AccessKeyId,
+		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
+		"security_token": *tokenResp.Credentials.SessionToken,
+		"arn":            *tokenResp.AssumedRoleUser.Arn,
+		"ttl":            uint64(ttl.Seconds()),
+	}, map[string]interface{}{
+		"username": roleSessionName,
+		"policy":   roleArn,
+		"is_sts":   true,
+	})
+
+	// Set the secret TTL to appropriately match the expiration of the token
+	resp.Secret.TTL = ttl
+
+	// STS are purposefully short-lived and aren't renewable
+	resp.Secret.Renewable = false
+
+	return resp, nil
 }
 
 func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {

changelog/20034.txt

@@ -0,0 +1,3 @@
+```release-note: bug
+secrets/aws: Revert changes that removed the lease on STS credentials, while leaving the new ttl field in place.
+```