search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
16.94k stars 1.7k forks source link

AWS App Access: all the allowed AWS Roles should be displayed #42749

Open marcoandredinis opened 2 weeks ago

marcoandredinis commented 2 weeks ago

Teleport shows a list of allowed AWS Roles when user tries to access AWS Console. This list might not show all the available AWS Roles when the user configures the aws_account_id label in the App resource

As an example, let's consider the following App:

kind: app
metadata:
  labels:
    aws_account_id: "111111111111"
  name: aws-console
spec:
# ...

And the following Role:

spec:
  allow:
    app_labels:
      aws_account_id: "111111111111"
    aws_role_arns:
    - arn:aws:iam::111111111111:role/users/admin-user
    - arn:aws:iam::222222222222:role/users/admin-user

Per RBAC, user can access the arn:aws:iam::222222222222:role/users/admin-user, however, it doesn't show up in the dropdown because Teleport filters out all the AWS Roles that don't match the account id.

Filtering happens here: https://github.com/gravitational/teleport/blob/582ba28b69291ca6551aa718e16929f9013f8564/lib/utils/aws/aws.go#L248

But the fix must be spread across different clients (tsh, web ui and connect).

Bug details:

webvictim commented 1 week ago

Is the intent here that a user with a role only granting permissions on one aws_account_id should be able to assume roles in another? I'd have thought that was a violation of the RBAC principle.

marcoandredinis commented 1 week ago

My understanding is that aws_account_id label in Teleport Role app_labels is used to filter which Apps you get access to. Just like any other label. After you get access to a given App, you can use whatever AWS Roles that specific Role gives you access to.

This should be clear in the docs https://goteleport.com/docs/ver/17.x/application-access/cloud-apis/aws-console/#multiple-aws-accounts

I think this ends up being a misconfiguration, because I'm not seeing a valid use case for having a Role that grants access to Apps with aws_account_id: X, but then has AWS Roles for other AWS Accounts. Eg

spec:
  allow:
    app_labels:
      aws_account_id: "111111111111"
    aws_role_arns:
    - arn:aws:iam::222222222222:role/users/admin-user

Would you consider this a valid Role? I know it's technically valid, but is there a use case for it?

webvictim commented 1 week ago

Yeah it's a misconfiguration IMO - if the user desires a role that grants access to multiple ARNs across different accounts, they shouldn't set the aws_account_id label inside the role.