Open greedy52 opened 3 weeks ago
Here is a rough design that may achieve this but up for discussion.
When tsh apps login my-aws-app-account-dev
, an AWS credentials file is written to $TELEPORT_HOME/aws/credentials
(aka ~/.tsh/aws/credential
):
[my-aws-app-account-prod.my-cluster.teleport.sh]
aws_access_key_id = <generated_access_key_prod>
aws_secret_access_key = <generated_sececret_key_prod>
[my-aws-app-account-dev.my-cluster.teleport.sh]
aws_access_key_id = <generated_access_key_dev>
aws_secret_access_key = <generated_sececret_key_dev>
When running tsh aws --shared-credentials --exec
and tsh proxy aws --shared-credentials
, all credentials from this file will be loaded. A single local proxy will be running on the client machine like today. When a request comes in, the app name will be mapped using the access key and the corresponding app cert will be used to authenticate upstream.
tsh aws --shared-credentials --exec
and tsh proxy aws --shared-credentials
will run with AWS_SHARED_CREDENTIALS_FILE
, AWS_CA_BUNDLE
, and HTTPS_PROXY
env var. It's the client's responsibility to use the correct AWS profile in their application. Terraform for example:
provider "aws" {
alias = "prod"
profile = "my-aws-app-account-prod.my-cluster.teleport.sh"
}
provider "aws" {
alias = "dev"
profile = "my-aws-app-account-dev.my-cluster.teleport.sh"
}
@thameezb I created a new issue to track this. Feel free to leave comments here.
I will bring this up for our next quarter's planning.
this doesn't necessarily address use of a proxy, but you might be able to simplify the aws config by making use of the credential_provider option, potentially less management overhead for end users too
What would you like Teleport to do? It's a common Terraform setup to use multiple AWS accounts/roles. Teleport should support a simply way to allow Terraform to access different AWS apps (and potentially the same app but different role arns) in the same terraform run.
If a workaround exists, please include it.
tsh proxy aws --app <app> -p <different-ports>
and configure each terraform provider block withaccess_key
,secret_key
,https_proxy
,custom_ca_bundle
(TELEPORT_AWS_ACCESS_KEY_ID
andTELEPORT_AWS_SECRET_ACCESS_KEY
can be used to fix access and secret key). Not very convenient. Lots of setup and have to be careful with the local proxy port to match the right AWS app.Related:
19551
44477