From d4ae267addc45ad7b4d9009b218f52f0933a2c89 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Wed, 11 Aug 2021 14:59:26 -0700 Subject: [PATCH] Fix ErrAllowTokenReuse comment. --- authority/provisioner/provisioner.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go index 75fabed5..652cb888 100644 --- a/authority/provisioner/provisioner.go +++ b/authority/provisioner/provisioner.go @@ -36,12 +36,12 @@ type Interface interface { // ErrAllowTokenReuse is an error that is returned by provisioners that allows // the reuse of tokens. // -// This is for example returned by the Azure provisioner when -// DisableTrustOnFirstUse is set to true. For AWS and GCP DisableTrustOnFirst -// use means that we allow the re-use of a token coming from a specific -// instance, but in these providers we can always get a new token, but because -// Azure caches the token for up to 24h we should add a mechanism to allow the -// re-use. +// This is, for example, returned by the Azure provisioner when +// DisableTrustOnFirstUse is set to true. Azure caches tokens for up to 24hr and +// has no mechanism for getting a different token - this can be an issue when +// rebooting a VM. In contrast, AWS and GCP have facilities for requesting a new +// token. Therefore, for the Azure provisioner we are enabling token reuse, with +// the understanding that we are not following security best practices var ErrAllowTokenReuse = stderrors.New("allow token reuse") // Audiences stores all supported audiences by request type.