From 74ea8cd1622b4a4bd63f9b121a8e4fd731be2420 Mon Sep 17 00:00:00 2001
From: Pawel Kopiczko <pawel.kopiczko@goteleport.com>
Date: Tue, 30 Sep 2025 17:07:16 +0100
Subject: [PATCH] Fix issue with dry-run access_request.spec.expires overwrite
 in `tsh ssh`

---
 tool/tsh/common/tsh.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/tool/tsh/common/tsh.go b/tool/tsh/common/tsh.go
index 8fe7320830123..77a543109b50a 100644
--- a/tool/tsh/common/tsh.go
+++ b/tool/tsh/common/tsh.go
@@ -3759,8 +3759,15 @@ func getAutoResourceRequest(ctx context.Context, tc *client.TeleportClient, requ
 	req.SetDryRun(true)
 	req.SetRequestReason("Dry run, this request will not be created. If you see this, there is a bug.")
 	if err := tc.WithRootClusterClient(ctx, func(clt authclient.ClientI) error {
-		req, err = clt.CreateAccessRequestV2(ctx, req)
-		return trace.Wrap(err)
+		dryRunReq, err := clt.CreateAccessRequestV2(ctx, req)
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		// Copying the computed roles here is not strictly necessary but avoids requiring
+		// the server to recompute the roles when the real request is created, which can be
+		// an expensive operation.
+		req.SetRoles(dryRunReq.GetRoles())
+		return nil
 	}); err != nil {
 		return nil, trace.Wrap(err)
 	}