zmb3
commented
1 year ago Please share the join token YAML (with any secrets redacted).
Closed benarent closed 1 year ago
zmb3
commented
1 year ago Please share the join token YAML (with any secrets redacted).
strideynet
commented
1 year ago I think we can probably do something to improve the logging on the server-side, but I'm not sure I want to leak information about which claim doesn't match to a client. In this case, if you share the token YAML we can probably work out what's not correct here :)
benarent
commented
1 year ago My token was created like this
kind: token
version: v2
metadata:
name: github-bot-2
expires: "3000-01-01T00:00:00Z"
spec:
roles: [Bot, Node, Db, App, Kube]
join_method: github
bot_name: robot-2
github:
allow:
- repository: asteroid-earth/example-gh-actions-machineid
repository_owner: benarentThen added via tctl bots with tctl bots add robot-2 --token=github-bot-2 --roles=access --logins=root
I created my first token with Terraform, that seemed to register but tried the YAML to remove any other steps.
resource "teleport_provision_token" "github_bot" {
spec = {
roles = ["Bot"]
join_method = "github"
# tctl bots add github-bot --token=github-bot --roles=access --logins=root
bot_name = "github-bot"
github: {
"allow": [
{
"repository": "asteroid-earth/example-gh-actions-machineid",
"repository_owner": "benarent"
}
]
}
}
metadata = {
name = "github-bot"
expires = "3000-12-12T12:05:23Z"
description = "testing the new provider sensitive values"
}
}name: Demo
on:
push:
branches:
- main
jobs:
demo:
permissions:
# This is required or tbot will not be able to authenticate
id-token: write
contents: read
name: demo
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Fetch tsh and tbot
run: wget https://cdn.teleport.dev/teleport-v11.0.1-linux-amd64-bin.tar.gz
- name: Install tsh
run: tar -xvf teleport-v11.0.1-linux-amd64-bin.tar.gz
- name: Install tsh
run: sudo cp ./teleport/tbot ./tbot
- name: Fetch credentials a
run: ./tbot start -d --join-method=github --token=github-bot-2 --auth-server=teleport-11-ent.asteroid.earth:443 --oneshot --destination-dir=./certs --data-dir=./data
- run: ls ./certs
- name: List nodes
run: ./tsh -i ./certs/identity --proxy teleport-11-ent.asteroid.earth:443 lsrepository_owner in this case would be asteroid-earth, not benarent.
It's a little redundant really as in most cases, folks are going to be providing repository which includes this already.
strideynet
commented
1 year ago Raised https://github.com/gravitational/teleport/issues/17948 for improving these errors.
I'll close this down - feel free to message me on Slack if you still can't get this working.
sec0ndhand
commented
1 year ago I'm getting,
id token claims did not match any allow rules
using the this walkthrough.
I posted this in slack, but this might put relevant information here if it needs to be fixed in code.
I tried this in one repo [my-org]/first-api and it didn't work. I then recreated keys, and bots multiple times but still got the error above when running in the first-api repo.
Then created a brand new repo [my-org]/teleport-test and used your sample action, and it worked! I was thrilled. So I copied the same action and ran it with no modifications in [my-org]/first-api and it still failed with the above message. I even created a second token and bot, and re-ran it, receiving the same error from the first-api repo.
Is there a reason this would work differently between 2 repos?
My token creation file:
kind: token
version: v2
metadata:
name: github-token
expires: "2100-01-01T00:00:00Z"
spec:
roles: [Bot]
join_method: github
bot_name: github-action
github:
allow:
- repository: [my-org]/first-api
- repository: [my-org]/second-api
- repository: [my-org]/teleport-testMy GitHub action running in both teleport-test and first-api:
# This is a basic workflow to help you get started.
# It will take the following action whenever a push is made to the "master" branch.
name: Testing Teleport
run-name: We're just seeing if this even works
on:
push:
branches:
- master
- main
- development
workflow_dispatch:
branches:
- master
- main
- development
jobs:
demo:
permissions:
# The "id-token: write" permission is required or Machine ID will not be able to authenticate with the cluster.
id-token: write
contents: read
# The name of the workflow, and the Linux distro to be used to perform the required steps.
name: guide-demo
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Fetch Teleport binaries
uses: teleport-actions/setup@v1
with:
version: 12.1.1
- name: Fetch credentials using Machine ID
id: auth
uses: teleport-actions/auth@v1
with:
# Use the address of the auth/proxy server for your own cluster.
proxy: teleport.mydomain.com:443
# Use the name of the join token resource you created in step 1.
token: github-token
# Specify the length of time that the generated credentials should be
# valid for. This is optional and defaults to "1h"
certificate-ttl: 1h
# Enable the submission of anonymous usage telemetry.
anonymous-telemetry: 1
- name: Write file to remote
# Enters a command from the cluster, in this case "tsh ls" using Machine ID credentials to list remote SSH nodes.
run: tsh -i ${{ steps.auth.outputs.identity-file }} ssh user@hostname "echo $GITHUB_SHA >> ~/github_run_log"
Expected behavior: I'm trying the new Github Machine ID code, but I'm running into this issue. It seems that my permissions are off, but it's unclear which it throwing this message.
Current behavior:
Bug details: