pam: allow account credentials to be fetched more than once

x032205 · x032205 · commit 39aa338ce51e · 2025-11-19T11:11:35.000-05:00
diff --git a/backend/src/ee/services/pam-account/pam-account-service.ts b/backend/src/ee/services/pam-account/pam-account-service.ts
@@ -668,11 +668,6 @@ export const pamAccountServiceFactory = ({
       throw new BadRequestError({ message: "Session has ended or expired" });
     }
 
-    // Verify that the session has not already had credentials fetched
-    if (session.status !== PamSessionStatus.Starting) {
-      throw new BadRequestError({ message: "Session has already been started" });
-    }
-
     const account = await pamAccountDAL.findById(session.accountId);
     if (!account) throw new NotFoundError({ message: `Account with ID '${session.accountId}' not found` });
 
@@ -690,10 +685,12 @@ export const pamAccountServiceFactory = ({
     const decryptedResource = await decryptResource(resource, session.projectId, kmsService);
 
     // Mark session as started
-    await pamSessionDAL.updateById(sessionId, {
-      status: PamSessionStatus.Active,
-      startedAt: new Date()
-    });
+    if (session.status === PamSessionStatus.Starting) {
+      await pamSessionDAL.updateById(sessionId, {
+        status: PamSessionStatus.Active,
+        startedAt: new Date()
+      });
+    }
 
     return {
       credentials: {
