feat(iam): persist STS temp credential secrets for later lookup#389
Merged
vieiralucas merged 1 commit intomainfrom Apr 14, 2026
Merged
feat(iam): persist STS temp credential secrets for later lookup#389vieiralucas merged 1 commit intomainfrom
vieiralucas merged 1 commit intomainfrom
Conversation
Previously STS generated per-request temporary credentials for
AssumeRole / AssumeRoleWithWebIdentity / AssumeRoleWithSAML and stored
only the access key ID in credential_identities, discarding the secret
and session token. GetSessionToken and GetFederationToken returned
hardcoded example constants that were not persisted at all.
Batch 3 (SigV4 verification) and batch 4 (IAM enforcement) need to look
up the secret access key by AKID, so all five operations now persist
the full credential in a new sts_temp_credentials map keyed by AKID,
including the absolute expiration time.
- New StsTempCredential struct and sts_temp_credentials HashMap field
on IamState.
- New IamState::credential_secret / credential_secret_readonly helpers
that resolve AKID -> {secret, session_token, principal_arn, user_id,
account_id}. Lazy-purge expired STS temp credentials on the mutable
variant. account_id is sourced from the credential itself, not global
config, so #381 (multi-account) becomes a state-partitioning change.
- AssumeRole / AssumeRoleWithWebIdentity / AssumeRoleWithSAML now
populate sts_temp_credentials alongside credential_identities.
- GetSessionToken resolves the caller via credential_secret, generates
fresh per-request credentials, persists them, and wires them into
the response helper instead of returning AQoEXAMPLEH4 constants.
- GetFederationToken also generates + persists per-request credentials
and resolves the federated-user ARN into the stored principal.
- xml_responses::{get_session_token_response, get_federation_token_response}
now take StsCredentials rather than hardcoding the example values.
- Added 5 unit tests on IamState and an E2E regression test that calls
AssumeRole, signs GetCallerIdentity with the returned temp creds,
and asserts the assumed-role ARN resolves correctly.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Batch 2 of 9 for the opt-in SigV4 verification + IAM enforcement work. Makes STS temporary credentials persistable and round-trippable so later batches can look them up by access key ID.
Previously:
AssumeRole/AssumeRoleWithWebIdentity/AssumeRoleWithSAMLstored only the access key ID incredential_identities, discarding the secret and session token.GetSessionToken/GetFederationTokenreturned hardcodedAQoEXAMPLEH4/FSIAIOSFODNN7EXAMPLEconstants that were not persisted.Now:
StsTempCredentialstruct +sts_temp_credentials: HashMap<String, StsTempCredential>field onIamState, carrying secret access key, session token, principal ARN, user id, account id, and absolute expiration.IamState::credential_secret/credential_secret_readonlyhelpers that resolve AKID →SecretLookup {secret, session_token, principal_arn, user_id, account_id}. Expired STS temp credentials are lazy-purged on the mutable variant.xml_responsesconstants are gone).account_idis sourced from the credential itself (not from global config), so Feature proposal: multi-account isolation within a single fakecloud instance #381 (multi-account isolation) becomes a state-partitioning change rather than a cross-cutting rewrite.Why this batch comes before SigV4 verification
Batch 3 adds
verify_sigv4, which needs to look up the secret access key for any AKID in circulation — including STS temporary credentials. If the STS table doesn't store the secret, any SDK that callsAssumeRoleand then uses the returned credentials would fail verification. This batch fixes that gap first.Decisions
GetSessionTokennow resolves the caller viacredential_secretand scopes the new temporary credential to that principal (falling back to account root when the caller isn't a known IAM user — matches AWS behavior with root creds).GetFederationTokenresolves the federated-user ARN from theNameparameter as before, but now persists a real per-request credential tied to that ARN.xml_responses::{get_session_token_response, get_federation_token_response}are removed. They were compatible in isolation but are incompatible with per-request verification.sts_get_session_token/sts_get_federation_token) previously asserted on the hardcoded token prefixAQoEXAMPLEH4; updated to the per-requestFQoGZXIvYXdzEformat and extended to assert two calls return distinct credentials.Test plan
cargo test -p fakecloud-iam— 78 tests including 5 newstate::tests::credential_secret_*casescargo test -p fakecloud-e2e --test iam sts_— 11 STS e2e tests, including a newsts_assume_role_temp_credentials_resolve_via_get_caller_identitythat round-trips AssumeRole → GetCallerIdentity with the temporary credentials and verifies the assumed-role ARNcargo test -p fakecloud-conformance— 711+ tests, all green (zero regressions)cargo clippy --workspace --all-targets -- -D warningscleancargo fmt --checkcleanSummary by cubic
Persists STS temporary credential secrets and session tokens so we can look them up by access key ID for upcoming SigV4 verification and IAM enforcement. All STS APIs now return and persist per-request credentials instead of static examples.
StsTempCredentialandsts_temp_credentialsonIamStatewith absolute expiration.IamState::credential_secretandcredential_secret_readonlyto resolve AKID → {secret, session token, principal ARN, user id, account id}, with lazy purge of expired entries.AssumeRole,AssumeRoleWithWebIdentity,AssumeRoleWithSAML,GetSessionToken, andGetFederationTokento store full credentials and use them in XML responses.GetSessionTokennow scopes creds to the caller (falls back to account root);GetFederationTokenties creds to the federated-user ARN.Written for commit ec0efd1. Summary will update on new commits.