Closed benarent closed 2 years ago
can you share the role and certificate it made for each @benarent ?
Access Role:
kind: role
metadata:
description: Access cluster resources
id: 1651029786137578485
name: access
spec:
allow:
app_labels:
'*': '*'
db_labels:
'*': '*'
db_names:
- '{{internal.db_names}}'
- redis
- aurora
- bizops
- mongodb
- mongodb-atlas
db_users:
- '{{internal.db_users}}'
- alice
- sre
- sre-team
- default
kubernetes_groups:
- '{{internal.kubernetes_groups}}'
- system:masters
kubernetes_labels:
'*': '*'
kubernetes_users:
- '{{internal.kubernetes_users}}'
logins:
- '{{internal.logins}}'
- ubuntu
- ec2-user
- debian
node_labels:
'*': '*'
rules:
- resources:
- '*'
verbs:
- '*'
windows_desktop_labels:
'*': '*'
windows_desktop_logins:
- '{{internal.windows_logins}}'
- Admin
- Administrator
deny: {}
options:
cert_format: standard
desktop_clipboard: true
enhanced_recording:
- command
- network
forward_agent: true
max_session_ttl: 30h0m0s
port_forwarding: true
record_session:
desktop: true
version: v5
AWS Connect Role
kind: role
metadata:
name: aws-console-access
spec:
allow:
app_labels:
'*': '*'
aws_role_arns:
- arn:aws:iam::981262289404:role/gui_teleport_cloudwatch_full
deny: {}
options:
cert_format: standard
desktop_clipboard: true
enhanced_recording:
- command
- network
forward_agent: false
max_session_ttl: 10h0m0s
port_forwarding: true
record_session:
desktop: true
version: v4
kind: github
metadata:
name: github
spec:
client_id: xxx
client_secret: xxx
display: github
redirect_url: https://teleport-9a.asteroid.earth:443/v1/webapi/github/callback
teams_to_logins:
- logins:
- access
- aws-console-access
organization: gravitational
team: employees-development
version: v3
When logging in, I used the below with teleport-admin user.
tsh db login --db-user=sre --db-name=postgres aurora
-> tsh db connect aurora
I needed to have 'postgres' in my 'access' role.
Current behavior:
I'm currently setting up Teleport Database Access with my test cluster. For some strange reason, with the same role. It'll work with a local user but won't work with a Github User. See RBAC log below.
Github RBAC
Local User
Bug details: