diff --git a/vault/request_handling.go b/vault/request_handling.go index fac4734d4f7f..192cdbccdff7 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -1485,7 +1485,8 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re // Check for request role in context to role based quotas var role string - if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil { + reqRole := ctx.Value(logical.CtxKeyRequestRole{}) + if reqRole != nil { role = reqRole.(string) } @@ -1686,6 +1687,13 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re // Attach the display name, might be used by audit backends req.DisplayName = auth.DisplayName + // If this is not a role-based quota, we still need to associate the + // login role with this lease for later lease-count quotas to be + // accurate. + if reqRole == nil { + role = c.DetermineRoleFromLoginRequest(ctx, req.MountPoint, req.Data) + } + leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, role, resp) leaseGenerated = leaseGen if errCreateToken != nil {