16.0.3: `tsh aws` fails demanding that `--aws-role flag is required`

[portswigger-tim]

Expected behavior:

tsh aws commands do not ask for --aws-role

Current behavior:

1. Login to the app:

   
   tsh apps login security-it-prod --aws-role teleport-administrator-role
   Logged into AWS app "security-it-prod".

Your IAM role: arn:aws:iam::XXXXXXX:role/pipeline-roles/teleport-administrator-role

Example AWS CLI command: tsh aws s3 ls

Or start a local proxy: tsh proxy aws --app security-it-prod

2. Try a tsh aws command:

tsh aws s3 ls Available AWS roles: Role Name Role ARN

---

teleport-administrator-role arn:aws:iam::XXXXXXX:role/pipeline-roles/teleport-administrator-role teleport-readonly-role arn:aws:iam::XXXXXXX:role/pipeline-roles/teleport-readonly-role

ERROR: --aws-role flag is required The tsh aws command does not need --aws-role it also doesn't understand it. tsh aws --aws-role teleport-administrator-role s3 ls tsh: error: unknown long flag '--aws-role' usage: tsh aws [] [...]

Access AWS API.

Flags: -l, --login Remote host login --proxy Teleport proxy address --user Teleport user, defaults to current local user --ttl Minutes to live for a session -i, --identity Identity file --cert-format SSH certificate format --[no-]insecure Do not verify server's certificate and host name. Use only in test environments --auth Specify the name of authentication connector to use. --[no-]skip-version-check Skip version checking between server and client. -d, --[no-]debug Verbose logging to stdout -k, --add-keys-to-agent Controls how keys are handled. Valid values are [auto no yes only]. --[no-]enable-escape-sequences Enable support for SSH escape sequences. Type '~?' during an SSH session to list supported sequences. Default is enabled. --bind-addr Override host:port used when opening a browser for cluster logins --callback Override the base URL (host:port) of the link shown when opening a browser for cluster logins. Must be used with --bind-addr. --mfa-mode Preferred mode for MFA and Passwordless assertions (auto, cross-platform, platform, otp) --[no-]headless Use headless login. Shorthand for --auth=headless. --mlock Determines whether process memory will be locked and whether failure to do so will be accepted (off, auto, best_effort, strict). --piv-slot Specify a PIV slot key to use for Hardware Key support instead of the default. Ex: "9d" -J, --jumphost SSH jumphost --app Optional Name of the AWS application to use if logged into multiple. --exec Execute different commands (e.g. terraform) under Teleport credentials

Args: [] AWS command and subcommands arguments that are going to be forwarded to AWS CLI.

Aliases:

ERROR: unknown long flag '--aws-role'

Bug details:
- Teleport version: 16.0.3
- Recreation steps: See above
- Debug logs: See above

[portswigger-tim]

15.4.7 works as expected 16.0.1 works as expected 16.0.2 pkg does not exist 16.0.3 broken 16.0.4 broken

[portswigger-tim]

Possibly introduced in this very small, easy to read change :grimacing: - https://github.com/gravitational/teleport/pull/40985

[portswigger-tim]

Relevant debug logs:

2024-07-04T10:16:17+01:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-04 16:09:02 +0000 UTC". client/client_store.go:118
Available AWS roles:
Role Name                   Role ARN
--------------------------- -------------------------------------------------------------------------
teleport-administrator-role arn:aws:iam::671582398017:role/pipeline-roles/teleport-administrator-role
teleport-readonly-role      arn:aws:iam::671582398017:role/pipeline-roles/teleport-readonly-role

ERROR REPORT:
Original Error: *trace.BadParameterError --aws-role flag is required
Stack Trace:
    github.com/gravitational/teleport/tool/tsh/common/app_aws.go:315 github.com/gravitational/teleport/tool/tsh/common.getARNFromFlags
    github.com/gravitational/teleport/tool/tsh/common/app.go:561 github.com/gravitational/teleport/tool/tsh/common.(*appInfo).checkAndSetDefaults
    github.com/gravitational/teleport/tool/tsh/common/app.go:511 github.com/gravitational/teleport/tool/tsh/common.getAppInfo
    github.com/gravitational/teleport/tool/tsh/common/app_aws.go:353 github.com/gravitational/teleport/tool/tsh/common.pickAWSApp
    github.com/gravitational/teleport/tool/tsh/common/app_aws.go:47 github.com/gravitational/teleport/tool/tsh/common.onAWS
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:1521 github.com/gravitational/teleport/tool/tsh/common.Run
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:608 github.com/gravitational/teleport/tool/tsh/common.Main
    github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
    runtime/proc.go:271 runtime.main
    runtime/asm_arm64.s:1222 runtime.goexit
User Message: --aws-role flag is required