Open marcoandredinis opened 2 weeks ago
Is the intent here that a user with a role only granting permissions on one aws_account_id
should be able to assume roles in another? I'd have thought that was a violation of the RBAC principle.
My understanding is that aws_account_id
label in Teleport Role app_labels
is used to filter which Apps you get access to. Just like any other label.
After you get access to a given App, you can use whatever AWS Roles that specific Role gives you access to.
This should be clear in the docs https://goteleport.com/docs/ver/17.x/application-access/cloud-apis/aws-console/#multiple-aws-accounts
I think this ends up being a misconfiguration, because I'm not seeing a valid use case for having a Role that grants access to Apps with aws_account_id: X
, but then has AWS Roles for other AWS Accounts.
Eg
spec:
allow:
app_labels:
aws_account_id: "111111111111"
aws_role_arns:
- arn:aws:iam::222222222222:role/users/admin-user
Would you consider this a valid Role? I know it's technically valid, but is there a use case for it?
Yeah it's a misconfiguration IMO - if the user desires a role that grants access to multiple ARNs across different accounts, they shouldn't set the aws_account_id
label inside the role.
Teleport shows a list of allowed AWS Roles when user tries to access AWS Console. This list might not show all the available AWS Roles when the user configures the
aws_account_id
label in the App resourceAs an example, let's consider the following App:
And the following Role:
Per RBAC, user can access the
arn:aws:iam::222222222222:role/users/admin-user
, however, it doesn't show up in the dropdown because Teleport filters out all the AWS Roles that don't match the account id.Filtering happens here: https://github.com/gravitational/teleport/blob/582ba28b69291ca6551aa718e16929f9013f8564/lib/utils/aws/aws.go#L248
But the fix must be spread across different clients (tsh, web ui and connect).
Bug details: