AWS OIDC Integration for VPN protected clusters

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.

https://goteleport.com

GNU Affero General Public License v3.0

17.68k stars 1.77k forks source link

AWS OIDC Integration for VPN protected clusters #34610

Open marcoandredinis opened 1 year ago

marcoandredinis commented 1 year ago

What would you like Teleport to do? Integrate with AWS when Teleport cluster is deployed without an Internet-public endpoint. Eg, internal network protected by VPN

What problem does this solve? Some deployments of Teleport are only accessible in an internal network. In those cases, the AWS OIDC Integration is not completed because Amazon can't:

get for the endpoint's thumbprint
HTTP GET the openid configuration available at https://<proxy.example.com>/.well-known/openid-configuration
HTTP GET the public keys referenced above

If a workaround exists, please include it.

marcoandredinis commented 8 months ago

Should be fixed by https://github.com/gravitational/teleport/issues/38782

marcoandredinis commented 8 months ago

Users should be able to set up the AWS OIDC Integration even if their cluster is not public facing. To do this, when the script is generated, users must run it on a machine that has AWS Credentials and access to the teleport proxy endpoint (https/website). Alternatively, users can fetch the script (run the curl https://... part), copy that script to CloudShell and then run it.

Alex-Giaquinto commented 3 months ago

@marcoandredinis I did this, but now when I try to enroll my EKS clusters, I am getting this error

rpc error: code = Unknown desc = operation error EKS: ListClusters, get identity: get credentials: failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, exceeded maximum number of attempts, 3, https response error StatusCode: 400, RequestID: xxx, InvalidIdentityToken: Couldn't retrieve verification key from your identity provider, please reference AssumeRoleWithWebIdentity documentation for requirements

Not sure what to do.

marcoandredinis commented 3 months ago

When I wrote this comment we had another method for setting up the integration, which used S3 buckets. However, that method was not easy to follow and caused a lot of issues. Some time ago, AWS changed the primitives for setting up the OIDC IdP, which allowed us to simplify the integration https://aws.amazon.com/about-aws/whats-new/2024/07/aws-identity-access-management-open-id-connect-identity-providers/

We decided to remove that method, and only provide the simpler one.

I'll re-open the issue because it also means we can't use the Integration in clusters which are not publicly accessible.