From 09ebcd5e29974870335260e679e596614fae1a6c Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 10:50:27 -0500
Subject: [PATCH 01/12] reduce calls to DetermineRoleFromLoginRequest from 3 to
 1 for aws auth method

---
 http/util.go              |  8 +++++++-
 sdk/logical/request.go    |  6 ++++++
 vault/login_mfa.go        |  5 +++--
 vault/request_handling.go | 19 ++++++++++++++-----
 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/http/util.go b/http/util.go
index 61dc8360c846..ef3e2e5199e8 100644
--- a/http/util.go
+++ b/http/util.go
@@ -5,6 +5,7 @@ package http
 
 import (
 	"bytes"
+	"context"
 	"errors"
 	"fmt"
 	"io/ioutil"
@@ -59,11 +60,16 @@ func rateLimitQuotaWrapping(handler http.Handler, core *vault.Core) http.Handler
 		}
 		r.Body = ioutil.NopCloser(bytes.NewBuffer(bodyBytes))
 
+		role := core.DetermineRoleFromLoginRequestFromBytes(mountPath, bodyBytes, r.Context())
+
+		// add an entry to the context to prevent recalculating request role unnecessarily
+		r = r.WithContext(context.WithValue(r.Context(), logical.CtxKeyRequestRole{}, role))
+
 		quotaResp, err := core.ApplyRateLimitQuota(r.Context(), &quotas.Request{
 			Type:          quotas.TypeRateLimit,
 			Path:          path,
 			MountPath:     mountPath,
-			Role:          core.DetermineRoleFromLoginRequestFromBytes(mountPath, bodyBytes, r.Context()),
+			Role:          role,
 			NamespacePath: ns.Path,
 			ClientAddress: parseRemoteIPAddress(r),
 		})
diff --git a/sdk/logical/request.go b/sdk/logical/request.go
index 8a6ac241fe80..39d5bbe2625f 100644
--- a/sdk/logical/request.go
+++ b/sdk/logical/request.go
@@ -447,3 +447,9 @@ type CtxKeyInFlightRequestID struct{}
 func (c CtxKeyInFlightRequestID) String() string {
 	return "in-flight-request-ID"
 }
+
+type CtxKeyRequestRole struct{}
+
+func (c CtxKeyRequestRole) String() string {
+	return "request-role"
+}
diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index 751c99c4f30d..62b6dc975388 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -791,12 +791,13 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 		return nil, fmt.Errorf("namespace not found: %w", err)
 	}
 
+	role := c.DetermineRoleFromLoginRequest(mountPoint, loginRequestData, ctx)
 	// The request successfully authenticated itself. Run the quota checks on
 	// the original login request path before creating the token.
 	quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{
 		Path:          reqPath,
 		MountPath:     strings.TrimPrefix(mountPoint, ns.Path),
-		Role:          c.DetermineRoleFromLoginRequest(mountPoint, loginRequestData, ctx),
+		Role:          role,
 		NamespacePath: ns.Path,
 	})
 
@@ -816,7 +817,7 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 	// note that we don't need to handle the error for the following function right away.
 	// The function takes the response as in input variable and modify it. So, the returned
 	// arguments are resp and err.
-	leaseGenerated, resp, err := c.LoginCreateToken(ctx, ns, reqPath, mountPoint, resp, loginRequestData)
+	leaseGenerated, resp, err := c.LoginCreateToken(ctx, ns, reqPath, mountPoint, resp, role)
 
 	if quotaResp.Access != nil {
 		quotaAckErr := c.ackLeaseQuota(quotaResp.Access, leaseGenerated)
diff --git a/vault/request_handling.go b/vault/request_handling.go
index a11306c75120..0e207a5c0810 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -489,6 +489,10 @@ func (c *Core) switchedLockHandleRequest(httpCtx context.Context, req *logical.R
 	if ok {
 		ctx = context.WithValue(ctx, logical.CtxKeyInFlightRequestID{}, inFlightReqID)
 	}
+	requestRole, ok := httpCtx.Value(logical.CtxKeyRequestRole{}).(string)
+	if ok {
+		ctx = context.WithValue(ctx, logical.CtxKeyRequestRole{}, requestRole)
+	}
 	resp, err = c.handleCancelableRequest(ctx, req)
 	req.SetTokenEntry(nil)
 	cancel()
@@ -1296,6 +1300,12 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
 	defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now())
 
+	// Check for request role
+	var role string
+	if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
+		role = reqRole.(string)
+	}
+
 	req.Unauthenticated = true
 
 	var nonHMACReqDataKeys []string
@@ -1482,7 +1492,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 		quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{
 			Path:          req.Path,
 			MountPath:     strings.TrimPrefix(req.MountPoint, ns.Path),
-			Role:          c.DetermineRoleFromLoginRequest(req.MountPoint, req.Data, ctx),
+			Role:          role,
 			NamespacePath: ns.Path,
 		})
 
@@ -1674,7 +1684,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 		// Attach the display name, might be used by audit backends
 		req.DisplayName = auth.DisplayName
 
-		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, resp, req.Data)
+		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, resp, role)
 		leaseGenerated = leaseGen
 		if errCreateToken != nil {
 			return respTokenCreate, nil, errCreateToken
@@ -1726,9 +1736,8 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 // LoginCreateToken creates a token as a result of a login request.
 // If MFA is enforced, mfa/validate endpoint calls this functions
 // after successful MFA validation to generate the token.
-func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint string, resp *logical.Response, loginRequestData map[string]interface{}) (bool, *logical.Response, error) {
+func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint string, resp *logical.Response, role string) (bool, *logical.Response, error) {
 	auth := resp.Auth
-
 	source := strings.TrimPrefix(mountPoint, credentialRoutePrefix)
 	source = strings.ReplaceAll(source, "/", "-")
 
@@ -1788,7 +1797,7 @@ func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, re
 	}
 
 	leaseGenerated := false
-	err = registerFunc(ctx, tokenTTL, reqPath, auth, c.DetermineRoleFromLoginRequest(mountPoint, loginRequestData, ctx))
+	err = registerFunc(ctx, tokenTTL, reqPath, auth, role)
 	switch {
 	case err == nil:
 		if auth.TokenType != logical.TokenTypeBatch {

From d4f4f243c9237e4847d972c8bc9c89730fe16cf5 Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 10:55:32 -0500
Subject: [PATCH 02/12] change ordering of LoginCreateToken args

---
 vault/login_mfa.go        | 2 +-
 vault/request_handling.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index 62b6dc975388..c4088994f710 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -817,7 +817,7 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 	// note that we don't need to handle the error for the following function right away.
 	// The function takes the response as in input variable and modify it. So, the returned
 	// arguments are resp and err.
-	leaseGenerated, resp, err := c.LoginCreateToken(ctx, ns, reqPath, mountPoint, resp, role)
+	leaseGenerated, resp, err := c.LoginCreateToken(ctx, ns, resp, reqPath, mountPoint, role)
 
 	if quotaResp.Access != nil {
 		quotaAckErr := c.ackLeaseQuota(quotaResp.Access, leaseGenerated)
diff --git a/vault/request_handling.go b/vault/request_handling.go
index 0e207a5c0810..fd412dc6535d 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -1684,7 +1684,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 		// Attach the display name, might be used by audit backends
 		req.DisplayName = auth.DisplayName
 
-		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, resp, role)
+		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, resp, req.Path, source, role)
 		leaseGenerated = leaseGen
 		if errCreateToken != nil {
 			return respTokenCreate, nil, errCreateToken
@@ -1736,7 +1736,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 // LoginCreateToken creates a token as a result of a login request.
 // If MFA is enforced, mfa/validate endpoint calls this functions
 // after successful MFA validation to generate the token.
-func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint string, resp *logical.Response, role string) (bool, *logical.Response, error) {
+func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, resp *logical.Response, reqPath, mountPoint, role string) (bool, *logical.Response, error) {
 	auth := resp.Auth
 	source := strings.TrimPrefix(mountPoint, credentialRoutePrefix)
 	source = strings.ReplaceAll(source, "/", "-")

From 35795b13d3410b3326a99ec9c39cad24fa14d849 Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 11:07:09 -0500
Subject: [PATCH 03/12] replace another determineRoleFromLoginRequest function
 with role from context

---
 vault/request_handling.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/vault/request_handling.go b/vault/request_handling.go
index fd412dc6535d..c37784e610f5 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -879,6 +879,12 @@ func (c *Core) isLoginRequest(ctx context.Context, req *logical.Request) bool {
 func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
 	defer metrics.MeasureSince([]string{"core", "handle_request"}, time.Now())
 
+	// Check for request role
+	var role string
+	if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
+		role = reqRole.(string)
+	}
+
 	var nonHMACReqDataKeys []string
 	entry := c.router.MatchingMountEntry(ctx, req.Path)
 	if entry != nil {
@@ -1252,7 +1258,7 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 						Path:        resp.Auth.CreationPath,
 						NamespaceID: ns.ID,
 					}
-					if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth, c.DetermineRoleFromLoginRequest(req.MountPoint, req.Data, ctx)); err != nil {
+					if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth, role); err != nil {
 						// Best-effort clean up on error, so we log the cleanup error as
 						// a warning but still return as internal error.
 						if err := c.tokenStore.revokeOrphan(ctx, resp.Auth.ClientToken); err != nil {

From 620eee56a60f0139a40b08485c567e67c3b02c99 Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 11:31:37 -0500
Subject: [PATCH 04/12] add changelog

---
 changelog/22583.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/22583.txt

diff --git a/changelog/22583.txt b/changelog/22583.txt
new file mode 100644
index 000000000000..618605764a86
--- /dev/null
+++ b/changelog/22583.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+core/quotas: Reduce the number of times role is calculated for rate limit and lease count quotas.
+```
\ No newline at end of file

From 3577e9d47baf0b37af6cbcdf528e0110a1ed71ba Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 11:39:02 -0500
Subject: [PATCH 05/12] Check for role in context if not there make call to
 DeteremineRoleFromLoginRequest

---
 vault/login_mfa.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index c4088994f710..aaee01a19e69 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -786,12 +786,19 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 	// Determine the source of the login
 	mountPoint := c.router.MatchingMount(ctx, reqPath)
 
+	var role string
+	reqRole := ctx.Value(logical.CtxKeyRequestRole{})
+	if reqRole != nil {
+		role = reqRole.(string)
+	} else {
+		role = c.DetermineRoleFromLoginRequest(mountPoint, loginRequestData, ctx)
+	}
+
 	ns, err := namespace.FromContext(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("namespace not found: %w", err)
 	}
 
-	role := c.DetermineRoleFromLoginRequest(mountPoint, loginRequestData, ctx)
 	// The request successfully authenticated itself. Run the quota checks on
 	// the original login request path before creating the token.
 	quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{

From d1bf570f6333462daa27fc33521b90e5bed65759 Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 11:53:05 -0500
Subject: [PATCH 06/12] move context role check below nanmespace check

---
 vault/login_mfa.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index aaee01a19e69..4dc8e5f1c713 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -786,6 +786,11 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 	// Determine the source of the login
 	mountPoint := c.router.MatchingMount(ctx, reqPath)
 
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("namespace not found: %w", err)
+	}
+
 	var role string
 	reqRole := ctx.Value(logical.CtxKeyRequestRole{})
 	if reqRole != nil {
@@ -794,11 +799,6 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 		role = c.DetermineRoleFromLoginRequest(mountPoint, loginRequestData, ctx)
 	}
 
-	ns, err := namespace.FromContext(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("namespace not found: %w", err)
-	}
-
 	// The request successfully authenticated itself. Run the quota checks on
 	// the original login request path before creating the token.
 	quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{

From c3e26e3d5b9be1a62f8bc4d19fcfcda552d165e9 Mon Sep 17 00:00:00 2001
From: Ellie <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 14:16:35 -0500
Subject: [PATCH 07/12] Update changelog/22583.txt

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
---
 changelog/22583.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog/22583.txt b/changelog/22583.txt
index 618605764a86..df288558fbb0 100644
--- a/changelog/22583.txt
+++ b/changelog/22583.txt
@@ -1,3 +1,3 @@
 ```release-note:improvement
-core/quotas: Reduce the number of times role is calculated for rate limit and lease count quotas.
+core/quotas: Reduce overhead for role calculation when using cloud auth methods.
 ```
\ No newline at end of file

From 1ef8b581dea01c9911e93f14e0fde33a85459a2f Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 14:43:53 -0500
Subject: [PATCH 08/12] revert signature to same order

---
 vault/login_mfa.go        | 2 +-
 vault/request_handling.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index 4dc8e5f1c713..ba11e2c0024b 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -824,7 +824,7 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 	// note that we don't need to handle the error for the following function right away.
 	// The function takes the response as in input variable and modify it. So, the returned
 	// arguments are resp and err.
-	leaseGenerated, resp, err := c.LoginCreateToken(ctx, ns, resp, reqPath, mountPoint, role)
+	leaseGenerated, resp, err := c.LoginCreateToken(ctx, ns, reqPath, mountPoint, resp, role)
 
 	if quotaResp.Access != nil {
 		quotaAckErr := c.ackLeaseQuota(quotaResp.Access, leaseGenerated)
diff --git a/vault/request_handling.go b/vault/request_handling.go
index c37784e610f5..4883db13fe45 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -1690,7 +1690,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 		// Attach the display name, might be used by audit backends
 		req.DisplayName = auth.DisplayName
 
-		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, resp, req.Path, source, role)
+		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, resp, role)
 		leaseGenerated = leaseGen
 		if errCreateToken != nil {
 			return respTokenCreate, nil, errCreateToken
@@ -1742,7 +1742,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 // LoginCreateToken creates a token as a result of a login request.
 // If MFA is enforced, mfa/validate endpoint calls this functions
 // after successful MFA validation to generate the token.
-func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, resp *logical.Response, reqPath, mountPoint, role string) (bool, *logical.Response, error) {
+func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint string, resp *logical.Response, role string) (bool, *logical.Response, error) {
 	auth := resp.Auth
 	source := strings.TrimPrefix(mountPoint, credentialRoutePrefix)
 	source = strings.ReplaceAll(source, "/", "-")

From 74b5182116bb9916dbd046ef8e182bb279a3d667 Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 14:48:58 -0500
Subject: [PATCH 09/12] make sure resp is last argument

---
 vault/login_mfa.go        | 2 +-
 vault/request_handling.go | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index ba11e2c0024b..9cabad6a5123 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -824,7 +824,7 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 	// note that we don't need to handle the error for the following function right away.
 	// The function takes the response as in input variable and modify it. So, the returned
 	// arguments are resp and err.
-	leaseGenerated, resp, err := c.LoginCreateToken(ctx, ns, reqPath, mountPoint, resp, role)
+	leaseGenerated, resp, err := c.LoginCreateToken(ctx, ns, reqPath, mountPoint, role, resp)
 
 	if quotaResp.Access != nil {
 		quotaAckErr := c.ackLeaseQuota(quotaResp.Access, leaseGenerated)
diff --git a/vault/request_handling.go b/vault/request_handling.go
index 4883db13fe45..bf578e15dd48 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -1690,7 +1690,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 		// Attach the display name, might be used by audit backends
 		req.DisplayName = auth.DisplayName
 
-		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, resp, role)
+		leaseGen, respTokenCreate, errCreateToken := c.LoginCreateToken(ctx, ns, req.Path, source, role, resp)
 		leaseGenerated = leaseGen
 		if errCreateToken != nil {
 			return respTokenCreate, nil, errCreateToken
@@ -1742,7 +1742,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 // LoginCreateToken creates a token as a result of a login request.
 // If MFA is enforced, mfa/validate endpoint calls this functions
 // after successful MFA validation to generate the token.
-func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint string, resp *logical.Response, role string) (bool, *logical.Response, error) {
+func (c *Core) LoginCreateToken(ctx context.Context, ns *namespace.Namespace, reqPath, mountPoint, role string, resp *logical.Response) (bool, *logical.Response, error) {
 	auth := resp.Auth
 	source := strings.TrimPrefix(mountPoint, credentialRoutePrefix)
 	source = strings.ReplaceAll(source, "/", "-")

From fccd6647b8ac649d250c9eadfa0abf958931714d Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 14:51:07 -0500
Subject: [PATCH 10/12] retrieve role from context closer to where role
 variable is needed

---
 vault/request_handling.go | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/vault/request_handling.go b/vault/request_handling.go
index bf578e15dd48..86856a036f76 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -879,12 +879,6 @@ func (c *Core) isLoginRequest(ctx context.Context, req *logical.Request) bool {
 func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
 	defer metrics.MeasureSince([]string{"core", "handle_request"}, time.Now())
 
-	// Check for request role
-	var role string
-	if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
-		role = reqRole.(string)
-	}
-
 	var nonHMACReqDataKeys []string
 	entry := c.router.MatchingMountEntry(ctx, req.Path)
 	if entry != nil {
@@ -1258,6 +1252,13 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 						Path:        resp.Auth.CreationPath,
 						NamespaceID: ns.ID,
 					}
+
+					// Check for request role
+					var role string
+					if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
+						role = reqRole.(string)
+					}
+
 					if err := c.expiration.RegisterAuth(ctx, registeredTokenEntry, resp.Auth, role); err != nil {
 						// Best-effort clean up on error, so we log the cleanup error as
 						// a warning but still return as internal error.
@@ -1306,12 +1307,6 @@ func (c *Core) handleRequest(ctx context.Context, req *logical.Request) (retResp
 func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (retResp *logical.Response, retAuth *logical.Auth, retErr error) {
 	defer metrics.MeasureSince([]string{"core", "handle_login_request"}, time.Now())
 
-	// Check for request role
-	var role string
-	if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
-		role = reqRole.(string)
-	}
-
 	req.Unauthenticated = true
 
 	var nonHMACReqDataKeys []string
@@ -1493,6 +1488,12 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 			return
 		}
 
+		// Check for request role
+		var role string
+		if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
+			role = reqRole.(string)
+		}
+
 		// The request successfully authenticated itself. Run the quota checks
 		// before creating lease.
 		quotaResp, quotaErr := c.applyLeaseCountQuota(ctx, &quotas.Request{

From 66fb66925d22f69c3b7c756eb0eed635348f00ef Mon Sep 17 00:00:00 2001
From: Ellie Sterner <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 14:52:12 -0500
Subject: [PATCH 11/12] remove failsafe for role in mfa login

---
 vault/login_mfa.go | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index 9cabad6a5123..a81dd512371c 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -792,11 +792,8 @@ func (c *Core) LoginMFACreateToken(ctx context.Context, reqPath string, cachedAu
 	}
 
 	var role string
-	reqRole := ctx.Value(logical.CtxKeyRequestRole{})
-	if reqRole != nil {
+	if reqRole := ctx.Value(logical.CtxKeyRequestRole{}); reqRole != nil {
 		role = reqRole.(string)
-	} else {
-		role = c.DetermineRoleFromLoginRequest(mountPoint, loginRequestData, ctx)
 	}
 
 	// The request successfully authenticated itself. Run the quota checks on

From 637b0f58b8b96fd7c1802334a7ee9ec08ffa48b4 Mon Sep 17 00:00:00 2001
From: Ellie <ellie.sterner@hashicorp.com>
Date: Mon, 28 Aug 2023 15:03:53 -0500
Subject: [PATCH 12/12] Update changelog/22583.txt

---
 changelog/22583.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog/22583.txt b/changelog/22583.txt
index df288558fbb0..0bc29d60fea8 100644
--- a/changelog/22583.txt
+++ b/changelog/22583.txt
@@ -1,3 +1,3 @@
-```release-note:improvement
+```release-note:bug
 core/quotas: Reduce overhead for role calculation when using cloud auth methods.
 ```
\ No newline at end of file