[VAULT-1986] Cap AWS Token TTL based on Default Lease TTL (#12026)

* fix: cap token TTL at login time based on default lease TTL

* add changelog file

* patch: update warning messages to not include 'at login'

* patch: remove default lease capping and test

* update changelog

* patch: revert warning message

builtin/credential/aws/path_role.go

@@ -889,11 +889,7 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
 		}
 	}
 
-	defaultLeaseTTL := b.System().DefaultLeaseTTL()
 	systemMaxTTL := b.System().MaxLeaseTTL()
-	if roleEntry.TokenTTL > defaultLeaseTTL {
-		resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds greater than current mount/system default of %d seconds; ttl will be capped at login time", roleEntry.TokenTTL/time.Second, defaultLeaseTTL/time.Second))
-	}
 	if roleEntry.TokenMaxTTL > systemMaxTTL {
 		resp.AddWarning(fmt.Sprintf("Given max ttl of %d seconds greater than current mount/system default of %d seconds; max ttl will be capped at login time", roleEntry.TokenMaxTTL/time.Second, systemMaxTTL/time.Second))
 	}

builtin/credential/aws/path_role_test.go

@@ -762,10 +762,10 @@ func TestAwsEc2_RoleDurationSeconds(t *testing.T) {
 	}
 
 	if resp.Data["ttl"].(int64) != 10 {
-		t.Fatalf("bad: period; expected: 10, actual: %d", resp.Data["ttl"])
+		t.Fatalf("bad: ttl; expected: 10, actual: %d", resp.Data["ttl"])
 	}
 	if resp.Data["max_ttl"].(int64) != 20 {
-		t.Fatalf("bad: period; expected: 20, actual: %d", resp.Data["max_ttl"])
+		t.Fatalf("bad: max_ttl; expected: 20, actual: %d", resp.Data["max_ttl"])
 	}
 	if resp.Data["period"].(int64) != 30 {
 		t.Fatalf("bad: period; expected: 30, actual: %d", resp.Data["period"])

changelog/12026.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL.
+```