Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use AWS OIDC integration for AWS CLI/console access #30150

Closed
9 tasks done
r0mant opened this issue Aug 7, 2023 · 0 comments · Fixed by #41569
Closed
9 tasks done

Use AWS OIDC integration for AWS CLI/console access #30150

r0mant opened this issue Aug 7, 2023 · 0 comments · Fixed by #41569
Assignees
@marcoandredinis
Labels
application-access aws Used for AWS Related Issues. discover Issues related to Teleport Discover feature-request Used for new features in Teleport, improvements to current should be #enhancements

Comments

@r0mant
Copy link
Collaborator

r0mant commented Aug 7, 2023
edited by marcoandredinis

Right now users have to configure AWS CLI/console access by enabling it in the app service and assigning it necessary IAM permissions:

https://goteleport.com/docs/application-access/cloud-apis/aws-console/

We should see if we can use our AWS OIDC integration to enable AWS CLI/console access as well. Then, users will be able to configure this integration by setting up the AWS integration in the Discover flow and won't need to host an agent similar to hosted access plugins.

Tasks
Beta Give feedback
  1. AWSOIDC gRPC Service #37245
    18 of 18
    aws discover
    marcoandredinis
  2. Add Integration field to App resource #39670
    backport/branch/v15 no-changelog size/sm
  3. AppService: split connection handler and service #40515
    application-access backport/branch/v15 no-changelog size/md
  4. Allow dynamic AWS Session provider #40553
    application-access backport/branch/v15 database-access discover no-changelog size/sm
  5. AWS OIDC: IAM set up for AWS App Access #40575
    backport/branch/v15 discover no-changelog size/md
  6. Use AWS OIDC Integration for AWS App Access #40555
    application-access backport/branch/v15 discover no-changelog size/md
  7. API for creating AppServer that uses AWS OIDC Integration #40581
    backport/branch/v15 discover no-changelog size/md tctl
  8. AWS OIDC App Access: add PublicAddr to App #41543
    application-access backport/branch/v15 no-changelog size/sm tctl
  9. WebDiscover: Add AWS Management Console as a guided flow #41569
    application-access backport/branch/v15 size/xl ui

UI steps:

  • select AWS Access tile
  • pick/create integration
  • Run script that adds inline policy to Integration's IAM Role
    • bash -c $(curl https://...../webapi/scripts/integrations/configure/aws-app-access-iam.sh?role=<IntegrationRoleName>)
  • AppServer is created here, but not visible to the user
    • POST https://.../integrations/aws-oidc/:name/aws-app-access
  • Set Up Access (using aws-arn-role traits)
    • User must be warned that only roles with Tag teleport.dev/integration: true are allowed to be used by the integration.
  • Test Connection: user can select an AWS IAM role and connect to it, the same way we do when listing Resources/Applications.

Example of ApplicationServer

kind: app_server
metadata:
  name: <integration-name>-aws
spec:
  app:
    kind: app
    metadata:
      labels:
        teleport.dev/origin: integration_awsoidc
        teleport.dev/integration_name: <integration-name>
      name: <integration-name>-aws
    spec:
      cloud: AWS
      public_addr: <integration-name>-aws.<proxy-public-addr>
      uri: https://console.aws.amazon.com/
    version: v3
  host_id: <proxy's host_id>
  version: <proxy's teleport version>
version: v3

Example of Teleport Role:

kind: role
version: v5
metadata:
  name: aws-console-access
spec:
  allow:
    aws_role_arns:
    - arn:aws:iam::1234567890:role/ExamplePowerUser
    - arn:aws:iam::1234567890:role/ExampleReadOnlyAccess

Example of IAM Policy required in IdP's Role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AssumeTaggedRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {"iam:ResourceTag/teleport.dev/integration": "true"}
            }
        }
    ]
}
@r0mant r0mant added feature-request Used for new features in Teleport, improvements to current should be #enhancements aws Used for AWS Related Issues. application-access labels Aug 7, 2023
@marcoandredinis marcoandredinis self-assigned this Nov 13, 2023
@marcoandredinis marcoandredinis added the discover Issues related to Teleport Discover label Jan 11, 2024
@strideynet strideynet mentioned this issue Jan 15, 2024
Open
@ean ean mentioned this issue Jan 16, 2024
Open
@marcoandredinis marcoandredinis mentioned this issue Apr 12, 2024
Merged
This was referenced May 10, 2024
Merged
Merged
This was referenced May 14, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcoandredinis marcoandredinis

Labels
application-access aws Used for AWS Related Issues. discover Issues related to Teleport Discover feature-request Used for new features in Teleport, improvements to current should be #enhancements
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WebDiscover: Add AWS Management Console as a guided flow gravitational/teleport
2 participants
@r0mant @marcoandredinis