Closed itsmesuniljacob closed 1 year ago
First thanks for the debugging call.
I am able to reproduce it now with kube2iam
and have found the actual root cause today. In short, the way kube2iam
hijacks the ec2 metadata apis makes Teleport Agent thinks its host is an ec2, not a "temporary credential".
It's very hard to detect if kiam
or kube2iam
is hijacking the traffic. One possible workaround is to add an environment variable (e.g. TELEPORT_AWS_FEDERATION_TEMPORARY_CREDENTIALS=true
) to force the decision on whether we think the host session is using temporary credentials. This could help debug future potential problems too.
The reason we haven't seen this before is we usually attach the IAM role either through IAM service account though odic or directly through the node's identity. And those are also valid options to avoid the kube2iam
issue.
Thanks @greedy52. I was thinking that kube2iam
intercepts traffic from the containers to the EC2 Metadata API, calling the AWS Security Token Service (STS) API to obtain temporary credentials using the pod configured role, then using these temporary credentials to perform the original request.
So, does this mean session duration may not be the culprit here?
This environment variable, where do we add the same?
So, does this mean session duration may not be the culprit here?
Correct. It's a red herring. The actual culprit is Teleport think it's using EC2/node credentials, instead of a temporary one.
This environment variable, where do we add the same?
We have to implement this toggle through an env var, and release it as a patch.
Thanks @greedy52. I tried with IRSA and I was able to access AWS console and AWS CLI, successfully. However, it seems I have an issues when doing kubectl
operations , which is giving me 403 in the audit logs.
{
"addr.local": "172.20.0.1:443",
"addr.remote": "127.0.0.1:58240",
"cluster_name": "teleport.example.com",
"code": "T3009I",
"ei": 0,
"event": "kube.request",
"kubernetes_cluster": "teleport.example.com",
"kubernetes_groups": [
"system:authenticated",
"system:masters"
],
"kubernetes_users": [
"sunilj"
],
"login": "sunilj",
"namespace": "default",
"proto": "kube",
"request_path": "/api/v1/namespaces/default/pods",
"resource_api_group": "core/v1",
"resource_kind": "pods",
"resource_namespace": "default",
"response_code": 403,
"server_id": "29bb5071-54b0-4924-bae3-ea3b2d173bde",
"time": "2023-03-09T11:10:44.675Z",
"uid": "e4c50f24-8596-447b-bd34-c1aed9401e0f",
"user": "sunilj",
"verb": "GET"
}
error: the server doesn't have a resource type "pod"
I tried with IRSA and I was able to access AWS console and AWS CLI, successfully.
Awesome! The web console session is likely limited to one hour for IRSA.
However, it seems I have an issues when doing kubectl operations , which is giving me 403 in the audit logs.
I am not a Kube Access expert, but I would first double-check if Kubernetes groups
from tsh status
is valid.. https://goteleport.com/docs/kubernetes-access/controls/
@greedy52 The Kubernetes groups show systems:masters
The logins show
Logins: -teleport-nologin-e2008735-b66a-4b57-9e2e-77f0fa9b6605, -teleport-internal-join
The Logins
are usernames for SSH access so I don't think it's related.
@greedy52 I have fixed the issue. It was the problem with cluster role binding. The service account name was not correct in Subjects
field. This occurred, because I did manual changes
Really appreciate your help
Expected behavior:
Trying to access AWS Management Console through Teleport. The AWS console should be accessed as a federated login
Current behavior: Getting Bad request
However AWS CLI is working perfectly without any issues Bug details:
Teleport version 11.3.5
Recreation steps Install Teleport HA config in EKS. Follow documentation of AWS console access
Debug logs
Additional Info This aws account has an oidc delegated role with it to allow kubernetes to assume this role, and AWS has an iam policy
AWS CLI access (i.e. tsh aws) is working fine The issue is with AWS web console access through Teleport.