mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-15 19:17:02 +02:00
ee55e36af6
Previously, the renew method would ALWAYS check to ensure the authenticated IAM principal ARN matched the bound ARN. However, there is a valid use case in which no bound_iam_principal_arn is specified and all bindings are done through inferencing. When a role is configured like this, clients won't be able to renew their token because of the check. This now checks to ensure that the bound_iam_principal_arn is not empty before requriing that it match the originally authenticated client. Fixes #2781 |
||
|---|---|---|
| .. | ||
| app-id.html.md | ||
| approle.html.md | ||
| aws.html.md | ||
| cert.html.md | ||
| github.html.md | ||
| index.html.md | ||
| ldap.html.md | ||
| mfa.html.md | ||
| okta.html.md | ||
| radius.html.md | ||
| token.html.md | ||
| userpass.html.md | ||