Cache AWS tokens per role.

Before the commit, the AWS token was saved independently of a role. In that case, if a user requests temporary credentials initially with a role A, the obtained AWS token will be cached (so far so good). However, if the user wants to obtains the credentials for some other role B and the cached AWS token is still valid, this cached token for role A will be reused. With this commit, the AWS token are cached per role.
mbrtargeting · Apr 2, 2020 · 1cf0152 · 1cf0152
1 parent 3c6a975
commit 1cf0152
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/internal/aws_oidc.go b/internal/aws_oidc.go
@@ -32,19 +32,20 @@ func (cred AWSCredentials) Valid() bool {
 }
 
 func GetCredentialsWithOIDC(client *OIDCClient, idToken string, roleARN string, durationSeconds int64) (*AWSCredentials, error) {
- var awsCreds *AWSCredentials = nil
+ awsCredsBag := map[string]*AWSCredentials{}
  jsonString, err := getAWSTokenCache()
  if err != nil {
  if err != ErrNotFound {
  return nil, err
  }
  } else {
- if err := json.Unmarshal([]byte(jsonString), &awsCreds); err != nil {
+ if err := json.Unmarshal([]byte(jsonString), &awsCredsBag); err != nil {
  return nil, err
  }
  }
 
- if awsCreds != nil && awsCreds.Valid() {
+ awsCreds, awsCredsFound := awsCredsBag[roleARN]
+ if awsCredsFound && awsCreds.Valid() {
  return awsCreds, nil
  }
 
@@ -53,12 +54,13 @@ func GetCredentialsWithOIDC(client *OIDCClient, idToken string, roleARN string,
  return nil, err
  }
 
- awsCredsJSON, err := json.Marshal(token)
+ awsCredsBag[roleARN] = token
+ awsCredsBagJSON, err := json.Marshal(awsCredsBag)
  if err != nil {
  return nil, err
  }
 
- if err := saveAWSTokenCache(string(awsCredsJSON)); err != nil {
+ if err := saveAWSTokenCache(string(awsCredsBagJSON)); err != nil {
  return nil, err
  }