strideynet
commented
6 months ago I definitely agree we're lacking functionality here - but I'd love to understand the use case here a little better. There's often existing ways of allowing a machine to access one of these cloud platforms already (e.g https://cloud.google.com/iam/docs/workload-identity-federation or https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html).
I'd like to understand why a user needs, or wants, Teleport to implement this functionality. Is it a case of their platform not providing an identity that can be exchanged for one on the cloud platform, or are we providing some level of additional access control ? or is this a case of consolidating access onto one platform? Understanding the motivation here may let us tailor this solution a little better.
aprohorov-callsign
What would you like Teleport to do?
Add support within Teleport Machine ID's configuration to specify cloud roles for AWS, Azure, and GCP applications analogous to the
--aws-role,--azure-identity, and--gcp-service-accountflags intsh. This will allow Machine IDs to correctly generate identities for cloud applications, which is currently resulting in the error "selected app X is not an AWS application" when runningtbot proxy aws.What problem does this solve?
When attempting to use
tbot proxy awswith a cloud application defined intbot's configuration (outputs/destinations), it fails with an error indicating that the selected app is not recognized as a cloud application. This prevents automation scenarios such as accessing AWS CLI through Teleport in CI/CD pipelines using Teleport's Machine ID feature.The error
selected app "aws-client" is not an AWS applicationsuggests that the current implementation of Teleport Machine ID may not support specifying cloud roles needed for cloud applications.If a workaround exists, please include it.
Currently, there is no known workaround for accessing cloud applications via Teleport Machine ID with
tbot proxy. A manual login usingtshwith interactive users seems to be the only way to access these cloud apps, which doesn't solve the use case for automated access in CI/CD environments.Additional info
Click to expand
When `tbot` or `tsh` generate a credential for an app, it creates a user certificate that has the name of the app in question embedded in the x509 data. For example, the x509 data for an app called "grafana" might include the following: ``` 1.3.9999.1.6=grafana.teleport.example.com, 1.3.9999.1.10=grafana ``` For an AWS app, it has those same references, but it also requires info about the AWS role. ``` 1.3.9999.1.6=awscli.teleport.example.com, 1.3.9999.1.10=awscli, 1.3.9999.1.11=arn:aws:iam::000000000000:role/poweruser, 1.3.9999.1.12=arn:aws:iam::000000000000:role/poweruser, 1.3.9999.1.12=arn:aws:iam::000000000000:role/readonly ``` The `1.3.9999.1.11` value specifies the requested role. `tbot` doesn't include that bit since there isn't a way to specify it in the config file. It does include the `1.3.9999.1.12` entries. Those are just the roles that are allowed to be requested. When `tbot proxy aws` is instructed to use that cert, the missing `1.3.9999.1.11` field makes it think that it is a non-AWS app, resulting in the error message about the app not being an AWS app. To see the Subject of the x509 cert for an app: ``` openssl x509 -noout -subject -in ~/.tsh/keys/teleport.example.com/jeff-app/teleport.example.com/awscli-x509.pem ```