From 1feb17b58d59a4c50c8dac7e179ce4c48cfaeb0b Mon Sep 17 00:00:00 2001
From: Brian Howe <brian.howe@datadoghq.com>
Date: Wed, 8 Jun 2022 08:44:57 -0400
Subject: [PATCH 1/4] don't create leases for AWS STS secrets

---
 builtin/logical/aws/secret_access_keys.go | 28 ++++++++---------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/builtin/logical/aws/secret_access_keys.go b/builtin/logical/aws/secret_access_keys.go
index 7f5492ee5ae6..7ee268f9f361 100644
--- a/builtin/logical/aws/secret_access_keys.go
+++ b/builtin/logical/aws/secret_access_keys.go
@@ -238,24 +238,16 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
 		return logical.ErrorResponse("Error assuming role: %s", err), awsutil.CheckAWSError(err)
 	}
 
-	resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
-		"access_key":     *tokenResp.Credentials.AccessKeyId,
-		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
-		"security_token": *tokenResp.Credentials.SessionToken,
-		"arn":            *tokenResp.AssumedRoleUser.Arn,
-	}, map[string]interface{}{
-		"username": roleSessionName,
-		"policy":   roleArn,
-		"is_sts":   true,
-	})
-
-	// Set the secret TTL to appropriately match the expiration of the token
-	resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
-
-	// STS are purposefully short-lived and aren't renewable
-	resp.Secret.Renewable = false
-
-	return resp, nil
+	// STS credentials cannot be revoked so do not create a lease
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"access_key":     *tokenResp.Credentials.AccessKeyId,
+			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
+			"security_token": *tokenResp.Credentials.SessionToken,
+			"arn":            *tokenResp.AssumedRoleUser.Arn,
+			"ttl":            tokenResp.Credentials.Expiration.Sub(time.Now()),
+		},
+	}, nil
 }
 
 func readConfig(ctx context.Context, storage logical.Storage) (rootConfig, error) {

From 97e3b60d2143f42341f52ca434858973b4b603bf Mon Sep 17 00:00:00 2001
From: Brian Howe <brian.howe@datadoghq.com>
Date: Thu, 9 Jun 2022 10:18:19 -0400
Subject: [PATCH 2/4] use number of seconds for ttl instead of time.Duration

---
 builtin/logical/aws/secret_access_keys.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/builtin/logical/aws/secret_access_keys.go b/builtin/logical/aws/secret_access_keys.go
index 7ee268f9f361..616c0247cb18 100644
--- a/builtin/logical/aws/secret_access_keys.go
+++ b/builtin/logical/aws/secret_access_keys.go
@@ -245,7 +245,7 @@ func (b *backend) assumeRole(ctx context.Context, s logical.Storage,
 			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
 			"security_token": *tokenResp.Credentials.SessionToken,
 			"arn":            *tokenResp.AssumedRoleUser.Arn,
-			"ttl":            tokenResp.Credentials.Expiration.Sub(time.Now()),
+			"ttl":            uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
 		},
 	}, nil
 }

From 4635c9da68740ae099722d1ea45cc5b09c66ed62 Mon Sep 17 00:00:00 2001
From: Brian Howe <brian.howe@datadoghq.com>
Date: Thu, 9 Jun 2022 10:24:43 -0400
Subject: [PATCH 3/4] add changelog

---
 changelog/15869.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/15869.txt

diff --git a/changelog/15869.txt b/changelog/15869.txt
new file mode 100644
index 000000000000..bb0278dccf98
--- /dev/null
+++ b/changelog/15869.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls
+```
\ No newline at end of file

From 69ee93e05147865f90255009d25b8cfc9229b593 Mon Sep 17 00:00:00 2001
From: Brian Howe <brian.howe@datadoghq.com>
Date: Mon, 24 Oct 2022 14:19:23 -0500
Subject: [PATCH 4/4] don't create leases for aws federation tokens

---
 builtin/logical/aws/secret_access_keys.go | 26 ++++++++---------------
 1 file changed, 9 insertions(+), 17 deletions(-)

diff --git a/builtin/logical/aws/secret_access_keys.go b/builtin/logical/aws/secret_access_keys.go
index 18898e3681d9..eb83ed5fa16e 100644
--- a/builtin/logical/aws/secret_access_keys.go
+++ b/builtin/logical/aws/secret_access_keys.go
@@ -155,23 +155,15 @@ func (b *backend) getFederationToken(ctx context.Context, s logical.Storage,
 		return logical.ErrorResponse("Error generating STS keys: %s", err), awsutil.CheckAWSError(err)
 	}
 
-	resp := b.Secret(secretAccessKeyType).Response(map[string]interface{}{
-		"access_key":     *tokenResp.Credentials.AccessKeyId,
-		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
-		"security_token": *tokenResp.Credentials.SessionToken,
-	}, map[string]interface{}{
-		"username": username,
-		"policy":   policy,
-		"is_sts":   true,
-	})
-
-	// Set the secret TTL to appropriately match the expiration of the token
-	resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
-
-	// STS are purposefully short-lived and aren't renewable
-	resp.Secret.Renewable = false
-
-	return resp, nil
+	// STS credentials cannot be revoked so do not create a lease
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"access_key":     *tokenResp.Credentials.AccessKeyId,
+			"secret_key":     *tokenResp.Credentials.SecretAccessKey,
+			"security_token": *tokenResp.Credentials.SessionToken,
+			"ttl":            uint64(tokenResp.Credentials.Expiration.Sub(time.Now()).Seconds()),
+		},
+	}, nil
 }
 
 func (b *backend) assumeRole(ctx context.Context, s logical.Storage,