Ayoung: as far as I can tell this patch is more appropriate than mine regarding the problem at hand. What I was doing was serving the same trust token (ie the one used to create the ec2 creds) whenever there was an ec2 authentication. This wasn't a good idea, due to the short lifespan of tokens.
I also added a reference to the trustee id when creating the credentials, so that it'd be possible to differenciate impersonation.
Ayoung: as far as I can tell this patch is more appropriate than mine regarding the problem at hand. What I was doing was serving the same trust token (ie the one used to create the ec2 creds) whenever there was an ec2 authentication. This wasn't a good idea, due to the short lifespan of tokens.
I also added a reference to the trustee id when creating the credentials, so that it'd be possible to differenciate impersonation.