Open portswigger-tim opened 5 days ago
15.4.7 works as expected 16.0.1 works as expected 16.0.2 pkg does not exist 16.0.3 broken 16.0.4 broken
Possibly introduced in this very small, easy to read change :grimacing: - https://github.com/gravitational/teleport/pull/40985
Relevant debug logs:
2024-07-04T10:16:17+01:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-04 16:09:02 +0000 UTC". client/client_store.go:118
Available AWS roles:
Role Name Role ARN
--------------------------- -------------------------------------------------------------------------
teleport-administrator-role arn:aws:iam::671582398017:role/pipeline-roles/teleport-administrator-role
teleport-readonly-role arn:aws:iam::671582398017:role/pipeline-roles/teleport-readonly-role
ERROR REPORT:
Original Error: *trace.BadParameterError --aws-role flag is required
Stack Trace:
github.com/gravitational/teleport/tool/tsh/common/app_aws.go:315 github.com/gravitational/teleport/tool/tsh/common.getARNFromFlags
github.com/gravitational/teleport/tool/tsh/common/app.go:561 github.com/gravitational/teleport/tool/tsh/common.(*appInfo).checkAndSetDefaults
github.com/gravitational/teleport/tool/tsh/common/app.go:511 github.com/gravitational/teleport/tool/tsh/common.getAppInfo
github.com/gravitational/teleport/tool/tsh/common/app_aws.go:353 github.com/gravitational/teleport/tool/tsh/common.pickAWSApp
github.com/gravitational/teleport/tool/tsh/common/app_aws.go:47 github.com/gravitational/teleport/tool/tsh/common.onAWS
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1521 github.com/gravitational/teleport/tool/tsh/common.Run
github.com/gravitational/teleport/tool/tsh/common/tsh.go:608 github.com/gravitational/teleport/tool/tsh/common.Main
github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
runtime/proc.go:271 runtime.main
runtime/asm_arm64.s:1222 runtime.goexit
User Message: --aws-role flag is required
Expected behavior:
tsh aws commands do not ask for
--aws-role
Current behavior:
Your IAM role: arn:aws:iam::XXXXXXX:role/pipeline-roles/teleport-administrator-role
Example AWS CLI command: tsh aws s3 ls
Or start a local proxy: tsh proxy aws --app security-it-prod
tsh aws s3 ls Available AWS roles: Role Name Role ARN
teleport-administrator-role arn:aws:iam::XXXXXXX:role/pipeline-roles/teleport-administrator-role teleport-readonly-role arn:aws:iam::XXXXXXX:role/pipeline-roles/teleport-readonly-role
ERROR: --aws-role flag is required The tsh aws command does not need --aws-role it also doesn't understand it. tsh aws --aws-role teleport-administrator-role s3 ls tsh: error: unknown long flag '--aws-role' usage: tsh aws [] [...]
Access AWS API.
Flags: -l, --login Remote host login --proxy Teleport proxy address --user Teleport user, defaults to current local user --ttl Minutes to live for a session -i, --identity Identity file --cert-format SSH certificate format --[no-]insecure Do not verify server's certificate and host name. Use only in test environments --auth Specify the name of authentication connector to use. --[no-]skip-version-check Skip version checking between server and client. -d, --[no-]debug Verbose logging to stdout -k, --add-keys-to-agent Controls how keys are handled. Valid values are [auto no yes only]. --[no-]enable-escape-sequences Enable support for SSH escape sequences. Type '~?' during an SSH session to list supported sequences. Default is enabled. --bind-addr Override host:port used when opening a browser for cluster logins --callback Override the base URL (host:port) of the link shown when opening a browser for cluster logins. Must be used with --bind-addr. --mfa-mode Preferred mode for MFA and Passwordless assertions (auto, cross-platform, platform, otp) --[no-]headless Use headless login. Shorthand for --auth=headless. --mlock Determines whether process memory will be locked and whether failure to do so will be accepted (off, auto, best_effort, strict). --piv-slot Specify a PIV slot key to use for Hardware Key support instead of the default. Ex: "9d" -J, --jumphost SSH jumphost --app Optional Name of the AWS application to use if logged into multiple. --exec Execute different commands (e.g. terraform) under Teleport credentials
Args: [] AWS command and subcommands arguments that are going to be forwarded to AWS CLI.
Aliases:
ERROR: unknown long flag '--aws-role'