I have credstashes in separate AWS accounts that are combined into a single AWS org. I'd like to be able to access across them in a management tool by specifying different profiles in the same process lifetime.
get_session erroneously caches "the session" as a single variable (get_session._cached_session) rather than treating access key / session token / profile name as a cache key to identify which session we might be talking about.
This isn't a security issue / vulnerability in the traditional sense as it's not really exploitable by an outside actor - but it is dangerous, because someone assuming the API docs were correct and getSecret was pulling from their staging environment when they passed their staging profile in explicitly probably won't be expecting that their previous call to listSecrets in response to a different API call has permanently pointed their credstash module at their production account.
I have credstashes in separate AWS accounts that are combined into a single AWS org. I'd like to be able to access across them in a management tool by specifying different profiles in the same process lifetime.
get_session
erroneously caches "the session" as a single variable (get_session._cached_session
) rather than treating access key / session token / profile name as a cache key to identify which session we might be talking about.This isn't a security issue / vulnerability in the traditional sense as it's not really exploitable by an outside actor - but it is dangerous, because someone assuming the API docs were correct and
getSecret
was pulling from their staging environment when they passed their staging profile in explicitly probably won't be expecting that their previous call tolistSecrets
in response to a different API call has permanently pointed theircredstash
module at their production account.