greedy52
commented
3 weeks ago Here is a rough design that may achieve this but up for discussion.
When tsh apps login my-aws-app-account-dev, an AWS credentials file is written to $TELEPORT_HOME/aws/credentials (aka ~/.tsh/aws/credential):
[my-aws-app-account-prod.my-cluster.teleport.sh]
aws_access_key_id = <generated_access_key_prod>
aws_secret_access_key = <generated_sececret_key_prod>
[my-aws-app-account-dev.my-cluster.teleport.sh]
aws_access_key_id = <generated_access_key_dev>
aws_secret_access_key = <generated_sececret_key_dev>When running tsh aws --shared-credentials --exec and tsh proxy aws --shared-credentials, all credentials from this file will be loaded. A single local proxy will be running on the client machine like today. When a request comes in, the app name will be mapped using the access key and the corresponding app cert will be used to authenticate upstream.
tsh aws --shared-credentials --exec and tsh proxy aws --shared-credentials will run with AWS_SHARED_CREDENTIALS_FILE, AWS_CA_BUNDLE, and HTTPS_PROXY env var. It's the client's responsibility to use the correct AWS profile in their application. Terraform for example:
provider "aws" {
alias = "prod"
profile = "my-aws-app-account-prod.my-cluster.teleport.sh"
}
provider "aws" {
alias = "dev"
profile = "my-aws-app-account-dev.my-cluster.teleport.sh"
}
userhas404d
What would you like Teleport to do? It's a common Terraform setup to use multiple AWS accounts/roles. Teleport should support a simply way to allow Terraform to access different AWS apps (and potentially the same app but different role arns) in the same terraform run.
If a workaround exists, please include it.
tsh proxy aws --app <app> -p <different-ports>and configure each terraform provider block withaccess_key,secret_key,https_proxy,custom_ca_bundle(TELEPORT_AWS_ACCESS_KEY_IDandTELEPORT_AWS_SECRET_ACCESS_KEYcan be used to fix access and secret key). Not very convenient. Lots of setup and have to be careful with the local proxy port to match the right AWS app.Related:
19551
44477