Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix(s3api): include account ID in STS AssumedRoleUser ARN 

- Consistent with AWS, include the account ID in the assumed-role ARN
- Use the configured account ID from STS service if available, otherwise default to '111122223333'
- Apply to both AssumeRole and AssumeRoleWithLDAPIdentity handlers
- Also update .gitignore to ignore IAM test environment files
pull/8003/head
Chris Lu 3 days ago
parent
113ccbfe4a
commit
b0f63c0a69
2 changed files with 11 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      .gitignore
  2. 12
      weed/s3api/s3api_sts.go

1
.gitignore
View File

@ -137,3 +137,4 @@ test/s3/remote_cache/primary-server.pid
# ID and PID files # ID and PID files
*.id *.id
*.pid *.pid
test/s3/iam/.test_env

12
weed/s3api/s3api_sts.go
View File

@ -318,6 +318,12 @@ func (h *STSHandlers) handleAssumeRole(w http.ResponseWriter, r *http.Request) {
return return
} }
// Get account ID from STS config or use default
accountId := "111122223333" // Default account ID
if h.stsService != nil && h.stsService.Config != nil && h.stsService.Config.AccountId != "" {
accountId = h.stsService.Config.AccountId
}
// Build and return response with proper ARN formatting // Build and return response with proper ARN formatting
xmlResponse := &AssumeRoleResponse{ xmlResponse := &AssumeRoleResponse{
Result: AssumeRoleResult{ Result: AssumeRoleResult{
@ -329,7 +335,7 @@ func (h *STSHandlers) handleAssumeRole(w http.ResponseWriter, r *http.Request) {
}, },
AssumedRoleUser: &AssumedRoleUser{ AssumedRoleUser: &AssumedRoleUser{
AssumedRoleId: fmt.Sprintf("%s:%s", roleName, roleSessionName), AssumedRoleId: fmt.Sprintf("%s:%s", roleName, roleSessionName),
Arn: fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleName, roleSessionName),
Arn: fmt.Sprintf("arn:aws:sts::%s:assumed-role/%s/%s", accountId, roleName, roleSessionName),
}, },
}, },
} }
@ -487,6 +493,8 @@ func (h *STSHandlers) handleAssumeRoleWithLDAPIdentity(w http.ResponseWriter, r
} }
// Build and return response with proper ARN formatting // Build and return response with proper ARN formatting
// accountId is already defined above (line 423-426)
xmlResponse := &AssumeRoleWithLDAPIdentityResponse{ xmlResponse := &AssumeRoleWithLDAPIdentityResponse{
Result: LDAPIdentityResult{ Result: LDAPIdentityResult{
Credentials: STSCredentials{ Credentials: STSCredentials{
@ -497,7 +505,7 @@ func (h *STSHandlers) handleAssumeRoleWithLDAPIdentity(w http.ResponseWriter, r
}, },
AssumedRoleUser: &AssumedRoleUser{ AssumedRoleUser: &AssumedRoleUser{
AssumedRoleId: fmt.Sprintf("%s:%s", roleName, roleSessionName), AssumedRoleId: fmt.Sprintf("%s:%s", roleName, roleSessionName),
Arn: fmt.Sprintf("arn:aws:sts::assumed-role/%s/%s", roleName, roleSessionName),
Arn: fmt.Sprintf("arn:aws:sts::%s:assumed-role/%s/%s", accountId, roleName, roleSessionName),
}, },
}, },
} }

Write Preview
Loading…
Cancel
Save