Open bothra90 opened 6 months ago
As stated other on the other ticket:
but curious if/how it's going to be prioritized.
Unfortunately, I don't have a timeline on this yet. It's not likely a huge priority since IAM joining is a workaround in these environments.
Our team is also happy to contribute a PR if that would help and if you're willing to mentor/review.
More than happy to mentor a PR on this. You can reach me at noah @ goteleport.com - or reach out to me on the slack.
As for impl - we'll want to implement some form of caching here. It seems like AWS returns a cache-control header that we should respect. We may want to keep in mind that this won't just be for AWS and there's potentially implementations which won't return a cache-control and in these cases we should pick a sensible default (e.g 1 minute).
since IAM joining is a workaround in these environments.
Aha! I didn't know we could use IAM based auth for bots running on k8s. That solves our problem for now. Thanks a lot @strideynet!
This is related to https://github.com/gravitational/teleport/issues/37183
What would you like Teleport to do?
Provide ability to specify a uri from which jwks could be fetched periodically
What problem does this solve?
EKS with OIDC rotates the underlying signing keys every 7 days. This means that machine id bots authenticated using static jwks will fail to authenticate if they restart after 7 days.
If a workaround exists, please include it.
Unfortunately the only workaround is to manually update the associate token every 7 days.