fix: retrieve IAM user explicitly in credentials rotation

[jbbarth]

The bug is explained here: #911

Summary

When a restrictive IAM policy is in place and includes a condition on ${aws:username}, then granted credentials rotate breaks and the policy evaluation somehow inserts a "null" string before the username (so I'm getting an access denied on nulljean-baptiste.barth on my side).

If we retrieve the username explicitly before issuing the API calls, then everything works perfectly fine.

Longer explanation

When granted credentials rotate calls IAM APIs (CreateAccessKey, UpdateAccessKey, DeleteAccessKey), it doesn't explicitly set the UserName field. AWS is documented to default to the calling user when UserName is omitted, and the API call itself succeeds.

However, a problem can appear during IAM policy evaluation. If you have an identity-based policy restricting key operations to the current user, e.g.:

  "Resource": "arn:aws:iam::*:user/${aws:username}"

AWS then constructs the request's resource ARN with the literal string "null" instead of the actual username when UserName is omitted. So the evaluated ARN becomes something like arn:aws:iam::123456789:user/nulljean-baptiste.barth, which doesn't match the policy, and the request is denied.

This is why it works fine for users with broad IAM permissions but fails for users with least-privilege policies. And we actually added such restrictions recently to limit what our non admin users can do.

Fix

In pkg/granted/credentials.go, we can call iam.GetUser (with no UserName, which returns the calling user) before the key operations, then pass the retrieved username explicitly to all three API calls.