Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if there's a bound iam arn when renewing #2819

Merged
merged 1 commit into from
Jun 7, 2017
Merged

Check if there's a bound iam arn when renewing #2819

merged 1 commit into from
Jun 7, 2017

Conversation

joelthompson
Copy link
Contributor

Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN. However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes #2781

@joelthompson
Check if there's a bound iam arn when renewing
9df7ded 
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes hashicorp#2781
@jefferai jefferai requested a review from vishalnayak June 6, 2017 18:17
@jefferai jefferai added this to the 0.7.3 milestone Jun 7, 2017
@jefferai jefferai merged commit ee55e36 into hashicorp:master Jun 7, 2017
@jefferai
Copy link
Member

jefferai commented Jun 7, 2017

Thank you!

@joelthompson
Copy link
Contributor Author

Glad I could help! 😄

@joelthompson joelthompson deleted the fix_iam_arn_verification branch June 7, 2017 02:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vishalnayak vishalnayak vishalnayak approved these changes

@jefferai jefferai jefferai approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.7.3
Development

Successfully merging this pull request may close these issues.
3 participants
@joelthompson @jefferai @vishalnayak