AWS web console is limited to 1hr when App Service is deployed on EKS with IRSA - Githubissues

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.

https://goteleport.com

GNU Affero General Public License v3.0

17.45k stars 1.74k forks source link

AWS web console is limited to 1hr when App Service is deployed on EKS with IRSA #35042

Open greedy52 opened 10 months ago

greedy52 commented 10 months ago

Expected behavior: AWS web console session duration should match user's session TTL, when App Service is deployed using IAM role as service account (IRSA).

Current behavior: Due to AWS's role chaining limitation, AWS federation session is maxed at 1hr when the host of the App Services uses "temporary" credentials

Bug details:

Teleport version: v14
Recreation steps: Deploy App Service using IRSA, setup AWS access, open Web Console from Teleport web app

Current Workaround: Move App Service to an EC2

greedy52 commented 10 months ago

Same applies to ECS fargate, or any "temporary" credentials