Dynamic Secrets: add Temporary Credentials for AWS IAM Roles #4471
Conversation
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Summary
This PR introduces temporary credentials support for AWS IAM dynamic secrets, allowing users to generate short-lived AWS access tokens instead of creating temporary IAM users. The implementation adds a new credentialType parameter with two options: "IAM User" (default, existing behavior) and "Temporary Credentials" (new functionality using AWS STS).
The changes span both frontend and backend components:
Backend Changes:
- Added
AwsIamCredentialTypeenum withIamUserandTemporaryCredentialsoptions - Extended AWS IAM provider to support temporary credential generation using AWS STS APIs (
GetSessionTokenandAssumeRole) - Implemented proper duration handling with AWS STS limits and credential validation
- Added early return logic for temporary credential revocation (no cleanup needed)
Frontend Changes:
- Updated form schemas across multiple components to include the new
credentialTypefield - Added conditional rendering to hide IAM-user-specific fields (user groups, policies, username templates) when temporary credentials are selected
- Modified credential display component to show session tokens and make usernames optional
- Enhanced UI with descriptive help text explaining the two credential types
Documentation Updates:
- Restructured AWS IAM dynamic secrets documentation with tabbed sections for each credential type
- Added required IAM permissions for STS operations
- Documented different output formats for each credential type
The feature maintains backward compatibility by defaulting to the existing IAM user creation behavior while providing a more secure alternative that doesn't require persistent AWS resource management. This aligns with AWS security best practices and provides better scalability since temporary credentials expire automatically without requiring cleanup.
Confidence score: 4/5
- This PR is generally safe to merge with some considerations around testing and validation
- Score reflects well-structured implementation with proper backward compatibility, but concerns about comprehensive testing of AWS STS integration and edge cases
- Pay close attention to the AWS IAM provider implementation and form validation logic to ensure proper handling of authentication methods and duration limits
6 files reviewed, 4 comments
...manager/SecretDashboardPage/components/ActionBar/CreateDynamicSecretForm/AwsIamInputForm.tsx
Show resolved
Hide resolved
|
| GitGuardian id | GitGuardian status | Secret | Commit | Filename | |
|---|---|---|---|---|---|
| 9605380 | Triggered | Generic Private Key | 59555c2 | backend/e2e-test/routes/v4/secrets.spec.ts | View secret |
🛠 Guidelines to remediate hardcoded secrets
- Understand the implications of revoking this secret by investigating where it is used in your code.
- Replace and store your secret safely. Learn here the best practices.
- Revoke and rotate this secret.
- If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.
To avoid such incidents in the future consider
- following these best practices for managing and storing secrets including API keys and other credentials
- install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.
🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.
Description 📣
Add a new option for temporary credentials for AWS IAM Roles on existing Dynamic Secret. Now users will be able to not only create temporal users but also retrieve for their connections a temporary access credentials.
Type ✨
Tests 🛠️
# Here's some code block to paste some code snippets