Bad Request | Teleport 11.3.5 | AWS Console

[itsmesuniljacob]

Expected behavior:

Trying to access AWS Management Console through Teleport. The AWS console should be accessed as a federated login

Current behavior: Getting Bad request

However AWS CLI is working perfectly without any issues Bug details:

• Teleport version 11.3.5

• Recreation steps Install Teleport HA config in EKS. Follow documentation of AWS console access

• Debug logs

  2023-02-27T10:46:28Z INFO [CA]        Generating TLS certificate {0xa12bdc0 0xc001d64390 1.3.9999.1.15=#13046e6f6e65,1.3.9999.1.7=#133874656c65706f72742e7574696c6974792d76372e656e676f70732e7075626c69632e6177732e637261646c65706f696e7465636d2e636f6d,1.3.9999.1.12=#133461726e3a6177733a69616d3a3a3938373439373733313331373a726f6c652f4578616d706c65526561644f6e6c79416363657373,1.3.9999.1.11=#133461726e3a6177733a69616d3a3a3938373439373733313331373a726f6c652f4578616d706c65526561644f6e6c79416363657373,1.3.9999.1.5=#133874656c65706f72742e7574696c6974792d76372e656e676f70732e7075626c69632e6177732e637261646c65706f696e7465636d2e636f6d,1.3.9999.1.6=#1343617773636f6e736f6c652e74656c65706f72742e7574696c6974792d76372e656e676f70732e7075626c69632e6177732e637261646c65706f696e7465636d2e636f6d,1.3.9999.1.4=#132434383863613934372d303462362d346533302d383666632d353863336466613934373039,1.3.9999.1.3=#133874656c65706f72742e7574696c6974792d76372e656e676f70732e7075626c69632e6177732e637261646c65706f696e7465636d2e636f6d,1.3.9999.1.2=#130e73797374656d3a6d617374657273,CN=sjacob,OU=usage:apps,O=access+O=editor+O=member+O=aws-console-access,POSTALCODE={\"aws_role_arns\":null\,\"db_names\":null\,\"db_users\":null\,\"kubernetes_groups\":null\,\"kubernetes_users\":null\,\"logins\":null\,\"windows_logins\":null},STREET=teleport.example.com,L=-teleport-nologin-6bd6b6a7-4548-4935-b65c-6076d8d5b37f+L=-teleport-internal-join 2023-02-27 22:46:12.002649689 +0000 UTC [] [] 5 []}. common_name:sjacob dns_names:[] locality:[-teleport-nologin-6bd6b6a7-4548-4935-b65c-6076d8d5b37f -teleport-internal-join] not_after:2023-02-27 22:46:12.002649689 +0000 UTC org:[access editor member aws-console-access] org_unit:[usage:apps] tlsca/ca.go:935
  2023-02-27T10:46:28Z INFO [AUDIT]     cert.create cert_type:user cluster_name:teleport.example.com code:TC000I ei:0 event:cert.create aws_role_arns:[arn:aws:iam::987497731317:role/ExampleReadOnlyAccess] expires:2023-02-27T22:46:12.002649689Z kubernetes_cluster:teleport.example.com kubernetes_groups:[system:masters] logins:[-teleport-nologin-6bd6b6a7-4548-4935-b65c-6076d8d5b37f -teleport-internal-join] prev_identity_expires:0001-01-01T00:00:00Z roles:[access editor member aws-console-access] aws_role_arn:arn:aws:iam::987497731317:role/ExampleReadOnlyAccess cluster_name:teleport.example.com name: public_addr:awsconsole.teleport.example.com session_id:488ca947-04b6-4e30-86fc-58c3dfa94709 route_to_cluster:teleport.example.com teleport_cluster:teleport.example.com aws_role_arns:<nil> db_names:<nil> db_users:<nil> kubernetes_groups:<nil> kubernetes_users:<nil> logins:<nil> windows_logins:<nil> usage:[usage:apps] user:sjacob time:2023-02-27T10:46:28.332Z uid:2cdb04d4-d2ea-430c-becd-df8ca6c9fdb4 events/emitter.go:263
  2023-02-27T10:46:29Z INFO [AUDIT]     app.session.start addr.remote:10.200.138.52:24690 app_name:awsconsole app_public_addr:awsconsole.teleport.example.com app_uri:https://console.aws.amazon.com/ec2/v2/home aws_role_arn:arn:aws:iam::987497731317:role/ExampleReadOnlyAccess cluster_name:teleport.example.com code:T2007I ei:0 event:app.session.start namespace:default public_addr:awsconsole.teleport.example.com server_id:854e298f-a2ee-4f0d-a350-79e0b3c895d5 sid:488ca947-04b6-4e30-86fc-58c3dfa94709 time:2023-02-27T10:46:29.37Z uid:1da039d4-2c56-410d-b61f-3b3934c86763 user:sjacob events/emitter.go:263
  2023-02-27T10:46:29Z INFO [AUDIT]     app.session.start addr.remote:10.200.138.52:24690 app_name:awsconsole app_public_addr:awsconsole.teleport.example.com app_uri:https://console.aws.amazon.com/ec2/v2/home aws_role_arn:arn:aws:iam::987497731317:role/ExampleReadOnlyAccess cluster_name:teleport.example.com code:T2007I ei:0 event:app.session.start namespace:default public_addr:awsconsole.teleport.example.com server_id:854e298f-a2ee-4f0d-a350-79e0b3c895d5 sid:488ca947-04b6-4e30-86fc-58c3dfa94709 time:2023-02-27T10:46:29.37Z uid:1da039d4-2c56-410d-b61f-3b3934c86763 user:sjacob events/emitter.go:263
  2023-02-27T10:46:32Z WARN [APP:SERVI] Failed to handle client connection. error:[
  ERROR REPORT:
  Original Error: *errors.errorString EOF
  Stack Trace:
  github.com/gravitational/teleport/lib/srv/app/server.go:861 github.com/gravitational/teleport/lib/srv/app.(*Server).getConnectionInfo
  github.com/gravitational/teleport/lib/srv/app/server.go:658 github.com/gravitational/teleport/lib/srv/app.(*Server).handleConnection
  github.com/gravitational/teleport/lib/srv/app/server.go:625 github.com/gravitational/teleport/lib/srv/app.(*Server).HandleConnection
  github.com/gravitational/teleport/lib/reversetunnel/transport.go:275 github.com/gravitational/teleport/lib/reversetunnel.(*transport).start
  github.com/gravitational/teleport/lib/reversetunnel/agent.go:581 github.com/gravitational/teleport/lib/reversetunnel.(*agent).handleDrainChannels.func2
  runtime/asm_amd64.s:1594 runtime.goexit
  User Message: TLS handshake failed
  EOF] app/server.go:632
  2023-02-27T10:46:32Z WARN [APP:SERVI] Failed to close client connection. error:[
  ERROR REPORT:
  Original Error: trace.aggregate EOF
  Stack Trace:
  github.com/gravitational/teleport/api@v0.0.0/utils/sshutils/chconn.go:113 github.com/gravitational/teleport/api/utils/sshutils.(*ChConn).Close
  github.com/gravitational/teleport/lib/srv/app/server.go:633 github.com/gravitational/teleport/lib/srv/app.(*Server).HandleConnection
  github.com/gravitational/teleport/lib/reversetunnel/transport.go:275 github.com/gravitational/teleport/lib/reversetunnel.(*transport).start
  github.com/gravitational/teleport/lib/reversetunnel/agent.go:581 github.com/gravitational/teleport/lib/reversetunnel.(*agent).handleDrainChannels.func2
  runtime/asm_amd64.s:1594 runtime.goexit
  User Message: EOF] app/server.go:634
  2023-02-27T10:46:33Z WARN [APP:SERVI] Failed to serve request: non-200 response from AWS federation endpoint: "400 Bad Request" map[Content-Security-Policy:[default-src 'none' https://aws.amazon.com https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://*.analytics.console.aws.a2z.com  'nonce-dX+EemT/qICK3/BasPX7qg=='; script-src 'self' https://aws.amazon.com https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://d1dgtfo2wk29o4.cloudfront.net/fwcim.js https://m.media-amazon.com https://l0.awsstatic.com https://images-na.ssl-images-amazon.com   'report-sample' 'nonce-dX+EemT/qICK3/BasPX7qg=='; style-src 'self' https://aws.amazon.com https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://aws-signin-website-assets.s3.amazonaws.com https://l0.awsstatic.com https://images-na.ssl-images-amazon.com 'unsafe-inline'; img-src 'self' data: https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://opfcaptcha-prod.s3.amazonaws.com https://images-na.ssl-images-amazon.com https://d1.awsstatic.com https://internal-cdn.amazon.com https://media.amazonwebservices.com https://d36cz9buwru1tt.cloudfront.net https://d0.awsstatic.com; media-src 'self' https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://media.amazonwebservices.com https://d36cz9buwru1tt.cloudfront.net https://opfcaptcha-prod.s3.amazonaws.com; report-uri /metrics/cspreport;] Content-Security-Policy-Report-Only:[default-src 'none' https://aws.amazon.com https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://*.analytics.console.aws.a2z.com  'nonce-dX+EemT/qICK3/BasPX7qg=='; script-src 'self' https://aws.amazon.com https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://d1dgtfo2wk29o4.cloudfront.net/fwcim.js https://m.media-amazon.com https://l0.awsstatic.com https://images-na.ssl-images-amazon.com   'report-sample' 'nonce-dX+EemT/qICK3/BasPX7qg=='; style-src 'self' https://aws.amazon.com https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://aws-signin-website-assets.s3.amazonaws.com https://l0.awsstatic.com https://images-na.ssl-images-amazon.com 'unsafe-inline'; img-src 'self' data: https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://opfcaptcha-prod.s3.amazonaws.com https://images-na.ssl-images-amazon.com https://d1.awsstatic.com https://internal-cdn.amazon.com https://media.amazonwebservices.com https://d36cz9buwru1tt.cloudfront.net https://d0.awsstatic.com; media-src 'self' https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://media.amazonwebservices.com https://d36cz9buwru1tt.cloudfront.net https://opfcaptcha-prod.s3.amazonaws.com; report-uri /metrics/cspreportonly;] Content-Type:[text/html;charset=UTF-8] Date:[Mon, 27 Feb 2023 10:46:33 GMT] Server:[Server] Set-Cookie:[aws-ubid-main=231-7303080-1038606; Domain=.amazon.com; Expires=Tue, 27-Feb-2024 10:46:33 GMT; Path=/; Secure; HttpOnly; SameSite=None] Strict-Transport-Security:[max-age=31536000; includeSubDomains] Vary:[accept-encoding] X-Content-Type-Options:[nosniff] X-Frame-Options:[DENY] X-Ua-Compatible:[IE=Edge] X-Xss-Protection:[1; mode=block]] "<!DOCTYPE html>\n<html lang=\"en\" class=\"aws-ember\">\n<head>\n  <meta http-equiv=\"content-type\" content=\"text/html; charset=UTF-8\" />\n  <meta http-equiv=\"Content-Security-Policy\" content=\"Content-Security-Policy: default-src 'self'\">\n  <meta name=\"viewport\" content=\"width=device-width, initial-scale=1.0\" />\n  <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\" />\n  <title>Bad Request</title>\n  <link rel=\"stylesheet\" href=\"/static/styles/ep-style/style.css\" />\n</head>\n<body class=\"awsm\">\n<header id=\"aws-page-header\" class=\"awsm m-page-header\" role=\"banner\">\n  <div id=\"m-nav\" class=\"m-nav\" role=\"navigation\">\n    <div class=\"m-nav-header lb-clearfix\" data-menu-url=\"https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html\">\n      <div class=\"m-nav-logo\">\n        <div class=\"lb-bg-logo aws-amazon_web_services_smile-header-desktop-en\">\n          <a href=\"https://aws.amazon.com/?nc2=h_lg\"><span>Click here to return to Amazon Web Services homepage</span></a>\n        </div>\n      </div>\n    </div>\n  </div>\n</header>\n<div class=\"content\">\n  <main role=\"main\">\n    <div data-mbox=\"en_400_content\">\n      <div class=\"lb-row lb-snap lb-row-max-large\">\n        <div class=\"lb-tiny-24 lb-col error\">\n          <h1 class=\"error-code\">400</h1>\n          <h1>Bad Request</h1>\n\n          <p>\n            You may have typed the address incorrectly or you may have used\n            an outdated link.\n            <br/>\n            Please clear your cookies and try the request again.  If the problem persists, please contact <a href=\"https://aws.amazon.com/support\" target=\"_blank\">Support</a>.\n            We apologize for the inconvenience.<br />\n          </p>\n        </div>\n      </div>\n    </div>\n  </main>\n</div>\n<footer id=\"aws-page-footer\" class=\"m-page-footer\" role=\"contentinfo\">\n  <div data-lb-comp=\"google-rlsa-pixel\"></div>\n  <div class=\"data-attr-wrapper lb-none-v-margin lb-xb-grid-wrap\" data-da-type=\"so\"\n       data-da-so-type=\"viewport\" data-da-so-language=\"en\" data-da-so-category=\"monitoring\" data-da-so-name=\"footer\"\n       data-da-so-version=\"a\">\n    <div class=\"lb-xb-grid lb-row-max-large lb-snap lb-tiny-xb-1 lb-small-xb-3 lb-large-xb-5\">\n      <div class=\"lb-xbcol\">\n        <div class=\"data-attr-wrapper lb-small-hide lb-btn\" data-da-type=\"so\" data-da-so-type=\"viewport\"\n             data-da-so-language=\"en\" data-da-so-category=\"monitoring\" data-da-so-name=\"footer_buttons\"\n             data-da-so-url=\"all\" data-da-so-version=\"footer_signin-mobile-default\">\n          <a class=\"lb-btn-p-primary\"\n             href=\"https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobile\" role=\"button\">\n            <span> Sign In to the Console</span> </a>\n        </div>\n        <h3 id=\"Learn_About_AWS\" class=\"lb-txt-none lb-txt-p-chromium lb-tiny-v-margin lb-h3 lb-title\"> Learn About\n          AWS</h3>\n        <ul class=\"lb-txt-p-chromium lb-ul lb-list-style-none lb-li-micro-v-margin lb-tiny-ul-block\">\n          <li><a href=\"https://aws.amazon.com/what-is-aws/?nc1=f_cc\" target=\"_blank\">What Is AWS?</a></li>\n          <li><a href=\"https://aws.amazon.com/what-is-cloud-computing/?nc1=f_cc\" target=\"_blank\">What Is Cloud\n            Computing?</a></li>\n          <li><a href=\"https://aws.amazon.com/devops/what-is-devops/?nc1=f_cc\" target=\"_blank\">What Is DevOps?</a></li>\n          <li><a href=\"https://aws.amazon.com/containers/?nc1=f_cc\" target=\"_blank\">What Is a Container?</a></li>\n          <li><a href=\"https://aws.amazon.com/big-data/datalakes-and-analytics/what-is-a-data-lake/?nc1=f_cc\"\n                 target=\"_blank\">What Is a Data Lake?</a></li>\n          <li><a href=\"https://aws.amazon.com/security/?nc1=f_cc\" target=\"_blank\">AWS Cloud Security</a></li>\n          <li><a href=\"https://aws.amazon.com/new/?nc1=f_cc\" target=\"_blank\">What's New</a></li>\n          <li><a href=\"https://aws.amazon.com/blogs/?nc1=f_cc\" target=\"_blank\">Blogs</a></li>\n          <li><a href=\"https://press.aboutamazon.com/press-releases/aws\" target=\"_blank\" rel=\"noopener noreferrer\" title=\"Press Releases\">Press\n            Releases</a></li>\n        </ul>\n      </div>\n      <div class=\"lb-xbcol\">\n        <h3 id=\"Resources_for_AWS\" class=\"lb-txt-none lb-txt-p-chromium lb-tiny-v-margin lb-h3 lb-title\"> Resources for\n          AWS</h3>\n        <ul class=\"lb-txt-p-chromium lb-ul lb-list-style-none lb-li-micro-v-margin lb-tiny-ul-block\">\n          <li><a href=\"https://aws.amazon.com/getting-started/?nc1=f_cc\" target=\"_blank\">Getting Started</a></li>\n          <li><a href=\"https://aws.amazon.com/training/?nc1=f_cc\" target=\"_blank\">Training and Certification</a></li>\n          <li><a href=\"https://aws.amazon.com/solutions/?nc1=f_cc\" target=\"_blank\">AWS Solutions Portfolio</a></li>\n          <li><a href=\"https://aws.amazon.com/architecture/?nc1=f_cc\" target=\"_blank\">Architecture Center</a></li>\n          <li><a href=\"https://aws.amazon.com/faqs/?nc1=f_dr\" target=\"_blank\">Product and Technical FAQs</a></li>\n          <li><a href=\"https://aws.amazon.com/resources/analyst-reports/?nc1=f_cc\" target=\"_blank\">Analyst Reports</a>\n          </li>\n          <li><a href=\"https://aws.amazon.com/partners/?nc1=f_dr\" target=\"_blank\">AWS Partner Network</a></li>\n        </ul>\n      </div>\n      <div class=\"lb-xbcol\">\n        <h3 id=\"Developers_on_AWS\" class=\"lb-txt-none lb-txt-p-chromium lb-tiny-v-margin lb-h3 lb-title\"> Developers on\n          AWS</h3>\n        <ul class=\"lb-txt-p-chromium lb-ul lb-list-style-none lb-li-micro-v-margin lb-tiny-ul-block\">\n          <li><a href=\"https://aws.amazon.com/developer/?nc1=f_dr\" target=\"_blank\">Developer Center</a></li>\n          <li><a href=\"https://aws.amazon.com/developer/tools/?nc1=f_dr\" target=\"_blank\">SDKs &amp; Tools</a></li>\n          <li><a href=\"https://aws.amazon.com/developer/language/net/?nc1=f_dr\" target=\"_blank\">.NET on AWS</a></li>\n          <li><a href=\"https://aws.amazon.com/developer/language/python/?nc1=f_dr\" target=\"_blank\">Python on AWS</a>\n          </li>\n          <li><a href=\"https://aws.amazon.com/developer/language/java/?nc1=f_dr\" target=\"_blank\">Java on AWS</a></li>\n          <li><a href=\"https://aws.amazon.com/developer/language/php/?nc1=f_cc\" target=\"_blank\">PHP on AWS</a></li>\n          <li><a href=\"https://aws.amazon.com/developer/language/javascript/?nc1=f_dr\" target=\"_blank\">Javascript on\n            AWS</a></li>\n        </ul>\n      </div>\n      <div class=\"lb-xbcol\">\n        <h3 id=\"Help\" class=\"lb-txt-none lb-txt-p-chromium lb-tiny-v-margin lb-h3 lb-title\"> Help</h3>\n        <ul class=\"lb-txt-p-chromium lb-ul lb-list-style-none lb-li-micro-v-margin lb-tiny-ul-block\">\n          <li><a href=\"https://aws.amazon.com/contact-us/?nc1=f_m\" target=\"_blank\">Contact Us</a></li>\n          <li><a href=\"https://www.amazon.jobs/aws\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Careers</a></li>\n          <li><a href=\"https://console.aws.amazon.com/support/home/?nc1=f_dr\" target=\"_blank\">File a Support Ticket</a>\n          </li>\n          <li><a href=\"https://aws.amazon.com/premiumsupport/knowledge-center/?nc1=f_dr\" target=\"_blank\">Knowledge\n            Center</a></li>\n          <li><a href=\"https://aws.amazon.com/premiumsupport/?nc1=f_dr\" target=\"_blank\">AWS Support Overview</a></li>\n          <li><a href=\"https://aws.amazon.com/legal/?nc1=f_cc\" target=\"_blank\">Legal</a></li>\n        </ul>\n        <div class=\"lb-mbox js-mbox\" data-lb-comp=\"mbox\" data-mbox=\"en_footer-v3_addl-help\" data-lb-comp-ignore=\"true\">\n        </div>\n      </div>\n      <div class=\"lb-xbcol\">\n        <div class=\"lb-mbox\" data-lb-comp=\"mbox\" data-mbox=\"en_footer-v3_cta\" data-lb-comp-ignore=\"true\">\n          <div class=\"data-attr-wrapper lb-tiny-hide lb-small-show lb-btn\" data-da-type=\"so\" data-da-so-type=\"viewport\"\n               data-da-so-language=\"en\" data-da-so-category=\"monitoring\" data-da-so-name=\"footer_buttons\"\n               data-da-so-url=\"all\" data-da-so-version=\"footer_signup-default\">\n            <a class=\"lb-btn-p-primary\"\n               href=\"https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=default\"\n               role=\"button\"> <span> Create an AWS Account</span> </a>\n          </div>\n        </div>\n        <div class=\"lb-xb-grid-wrap\">\n          <div\n              class=\"lb-xb-grid lb-row-max-large lb-xb-equal-height lb-snap lb-gutter-collapse lb-vgutter-collapse lb-tiny-xb-auto\">\n            <div class=\"lb-xbcol\">\n              <a class=\"lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt\"\n                 href=\"https://twitter.com/awscloud\" target=\"_blank\" rel=\"noopener noreferrer\" title=\"Twitter\"> <i class=\"icon-twitter\"></i></a>\n            </div>\n            <div class=\"lb-xbcol\">\n              <a class=\"lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt\"\n                 href=\"https://www.facebook.com/amazonwebservices\" target=\"_blank\" rel=\"noopener noreferrer\" title=\"Facebook\"> <i\n                  class=\"icon-facebook\"></i></a>\n            </div>\n            <div class=\"lb-xbcol\">\n              <a class=\"lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt\"\n                 href=\"https://www.twitch.tv/aws\" target=\"_blank\" rel=\"noopener noreferrer\" title=\"Twitch\"> <i class=\"icon-twitch\"></i></a>\n            </div>\n            <div class=\"lb-xbcol\">\n              <a class=\"lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt\"\n                 href=\"https://aws.amazon.com/podcasts/aws-podcast/\" target=\"_blank\" rel=\"noopener noreferrer\" title=\"Podcast\"> <i\n                  class=\"icon-podcast\"></i></a>\n            </div>\n            <div class=\"lb-xbcol\">\n              <a class=\"lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt\"\n                 href=\"https://pages.awscloud.com/communication-preferences?trk=homepage\" target=\"_blank\" title=\"Email\">\n                <i class=\"icon-envelope-o\"></i></a>\n            </div>\n          </div>\n        </div>\n        <div class=\"lb-txt-normal lb-txt-white lb-txt-14 lb-rtxt\">\n          <div>\n            Amazon is an Equal Opportunity Employer:\n            <i> Minority / Women / Disability / Veteran / Gender Identity / Sexual Orientation / Age.</i>\n          </div>\n        </div>\n      </div>\n    </div>\n  </div>\n  <div class=\"lb-none-pad lb-none-v-margin lb-xb-grid-wrap\">\n    <div class=\"lb-xb-grid lb-row-max-large lb-snap lb-tiny-xb-1\">\n      <div class=\"lb-xbcol\">\n        <ul class=\"lb-txt-p-chromium lb-tiny-iblock lb-none-v-margin lb-ul lb-list-style-none lb-li-micro-v-margin lb-tiny-ul-iblock\">\n          <li class=\"lb-txt-bold\">Language</li>\n          <li data-language=\"ar\"><a href=\"https://aws.amazon.com/ar/?nc1=h_ls\">عربي</a></li>\n          <li data-language=\"id\"><a href=\"https://aws.amazon.com/id/?nc1=h_ls\">Bahasa Indonesia</a></li>\n          <li data-language=\"de\"><a href=\"https://aws.amazon.com/de/?nc1=h_ls\">Deutsch</a></li>\n          <li data-language=\"en\"><a href=\"https://aws.amazon.com/?nc1=h_ls\">English</a></li>\n          <li data-language=\"es\"><a href=\"https://aws.amazon.com/es/?nc1=h_ls\">Espa&ntilde;ol</a></li>\n          <li data-language=\"fr\"><a href=\"https://aws.amazon.com/fr/?nc1=h_ls\">Fran&ccedil;ais</a></li>\n          <li data-language=\"it\"><a href=\"https://aws.amazon.com/it/?nc1=h_ls\">Italiano</a></li>\n          <li data-language=\"pt\"><a href=\"https://aws.amazon.com/pt/?nc1=h_ls\">Portugu&ecirc;s</a></li>\n          <li data-language=\"vi\"><a href=\"https://aws.amazon.com/vi/?nc1=f_ls\">Tiếng Việt</a></li>\n          <li data-language=\"tr\"><a href=\"https://aws.amazon.com/tr/?nc1=h_ls\">T&uuml;rk&ccedil;e</a></li>\n          <li data-language=\"ru\"><a href=\"https://aws.amazon.com/ru/?nc1=h_ls\">Ρусский</a></li>\n          <li data-language=\"th\"><a href=\"https://aws.amazon.com/th/?nc1=f_ls\">ไทย</a></li>\n          <li data-language=\"jp\"><a href=\"https://aws.amazon.com/jp/?nc1=h_ls\">日本語</a></li>\n          <li data-language=\"ko\"><a href=\"https://aws.amazon.com/ko/?nc1=h_ls\">한국어</a></li>\n          <li data-language=\"cn\"><a href=\"https://aws.amazon.com/cn/?nc1=h_ls\">中文 (简体)</a></li>\n          <li data-language=\"tw\"><a href=\"https://aws.amazon.com/tw/?nc1=h_ls\">中文 (繁體)</a></li>\n        </ul>\n      </div>\n    </div>\n  </div>\n  <div class=\"lb-none-pad lb-none-v-margin lb-xb-grid-wrap lb-tos\">\n    <div class=\"lb-xb-grid lb-row-max-large lb-snap lb-tiny-xb-1\">\n      <div class=\"lb-xbcol\">\n        <ul class=\"lb-txt-p-squid-ink lb-none-v-margin lb-ul lb-list-style-none lb-li-none-v-margin lb-tiny-ul-iblock\">\n          <li><a href=\"https://aws.amazon.com/privacy/?nc1=f_pr\">Privacy</a></li>\n          <li>|</li>\n          <li><a href=\"https://aws.amazon.com/terms/?nc1=f_pr\">Site Terms</a></li>\n          <li>|</li>\n          <li>&copy; 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.</li>\n        </ul>\n      </div>\n    </div>\n  </div>\n</footer>\n</body>\n</html>". app/server.go:773

• Additional Info This aws account has an oidc delegated role with it to allow kubernetes to assume this role, and AWS has an iam policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TeleportRole",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::XXX:role/TeleportReadOnly"
        }
    ]
}

• Snippet of agent log

2023-02-27T10:46:33Z WARN [APP:SERVI] Failed to serve request: non-200 response from AWS federation endpoint: "400 Bad Request" map[Content-Security-Policy:[default-src 'none' https://aws.amazon.com https://*.signin.aws.amazon.com https://signin.aws.amazon.com https://*.analytics.console.aws.a2z.com  'nonce-dX+EemT/qICK3/BasPX7qg=='; script-src 'self'

AWS CLI access (i.e. tsh aws) is working fine The issue is with AWS web console access through Teleport.

[greedy52]

First thanks for the debugging call.

I am able to reproduce it now with kube2iamand have found the actual root cause today. In short, the way kube2iam hijacks the ec2 metadata apis makes Teleport Agent thinks its host is an ec2, not a "temporary credential".

It's very hard to detect if kiam or kube2iam is hijacking the traffic. One possible workaround is to add an environment variable (e.g. TELEPORT_AWS_FEDERATION_TEMPORARY_CREDENTIALS=true) to force the decision on whether we think the host session is using temporary credentials. This could help debug future potential problems too.

The reason we haven't seen this before is we usually attach the IAM role either through IAM service account though odic or directly through the node's identity. And those are also valid options to avoid the kube2iam issue.

[itsmesuniljacob]

Thanks @greedy52. I was thinking that kube2iam intercepts traffic from the containers to the EC2 Metadata API, calling the AWS Security Token Service (STS) API to obtain temporary credentials using the pod configured role, then using these temporary credentials to perform the original request.

So, does this mean session duration may not be the culprit here?

This environment variable, where do we add the same?

[greedy52]

So, does this mean session duration may not be the culprit here?

Correct. It's a red herring. The actual culprit is Teleport think it's using EC2/node credentials, instead of a temporary one.

This environment variable, where do we add the same?

We have to implement this toggle through an env var, and release it as a patch.

[itsmesuniljacob]

Thanks @greedy52. I tried with IRSA and I was able to access AWS console and AWS CLI, successfully. However, it seems I have an issues when doing kubectl operations , which is giving me 403 in the audit logs.

{
  "addr.local": "172.20.0.1:443",
  "addr.remote": "127.0.0.1:58240",
  "cluster_name": "teleport.example.com",
  "code": "T3009I",
  "ei": 0,
  "event": "kube.request",
  "kubernetes_cluster": "teleport.example.com",
  "kubernetes_groups": [
    "system:authenticated",
    "system:masters"
  ],
  "kubernetes_users": [
    "sunilj"
  ],
  "login": "sunilj",
  "namespace": "default",
  "proto": "kube",
  "request_path": "/api/v1/namespaces/default/pods",
  "resource_api_group": "core/v1",
  "resource_kind": "pods",
  "resource_namespace": "default",
  "response_code": 403,
  "server_id": "29bb5071-54b0-4924-bae3-ea3b2d173bde",
  "time": "2023-03-09T11:10:44.675Z",
  "uid": "e4c50f24-8596-447b-bd34-c1aed9401e0f",
  "user": "sunilj",
  "verb": "GET"
}

error: the server doesn't have a resource type "pod"

[greedy52]

I tried with IRSA and I was able to access AWS console and AWS CLI, successfully.

Awesome! The web console session is likely limited to one hour for IRSA.

However, it seems I have an issues when doing kubectl operations , which is giving me 403 in the audit logs.

I am not a Kube Access expert, but I would first double-check if Kubernetes groups from tsh status is valid.. https://goteleport.com/docs/kubernetes-access/controls/

[itsmesuniljacob]

@greedy52 The Kubernetes groups show systems:masters

The logins show Logins: -teleport-nologin-e2008735-b66a-4b57-9e2e-77f0fa9b6605, -teleport-internal-join

[greedy52]

The Logins are usernames for SSH access so I don't think it's related.

[itsmesuniljacob]

@greedy52 I have fixed the issue. It was the problem with cluster role binding. The service account name was not correct in Subjects field. This occurred, because I did manual changes

Really appreciate your help